Improper handling of /tmp symlinks.
Monday, August 26, 1996
The Litterbox
Sean B. Hamor <hamors@litterbox.org>
TIN
Note:
I'm not sure whether or not information this has been previously released.
I found this earlier this evening while poking around, and apologize if
I've just found an old bug.
I verified the existence of this bug in TIN 1.2PL2 UNIX.
Synopsis:
A problem exists in TIN where the .tin_log file in /tmp/ is created mode
666. Although this file is usually created the first time a user runs TIN
and doesn't get deleted, a problem develops if root or the owner of that
file deletes it while cleaning up /tmp/.
If /tmp/.tin_log is deleted, a symbolic link may now be put in its place
and be used to create/modify/delete files the victim has write access to.
Exploit:
hamors (3 21:00) litterbox:/tmp> ln -s ~root/.rhosts /tmp/.tin_log
Verification:
This vulnerability has been tested on Linux Slackware 3.0 (1.2.13) with
TIN 1.2PL2.
EOF