Improper handling of /tmp symlinks.
Monday, August 26, 1996 The Litterbox Sean B. Hamor <firstname.lastname@example.org> TIN Note: I'm not sure whether or not information this has been previously released. I found this earlier this evening while poking around, and apologize if I've just found an old bug. I verified the existence of this bug in TIN 1.2PL2 UNIX. Synopsis: A problem exists in TIN where the .tin_log file in /tmp/ is created mode 666. Although this file is usually created the first time a user runs TIN and doesn't get deleted, a problem develops if root or the owner of that file deletes it while cleaning up /tmp/. If /tmp/.tin_log is deleted, a symbolic link may now be put in its place and be used to create/modify/delete files the victim has write access to. Exploit: hamors (3 21:00) litterbox:/tmp> ln -s ~root/.rhosts /tmp/.tin_log Verification: This vulnerability has been tested on Linux Slackware 3.0 (1.2.13) with TIN 1.2PL2. EOF