Symlink Vulnerability in TIN

Improper handling of /tmp symlinks.

                                                       Monday, August 26, 1996
                                                                 The Litterbox
                                          Sean B. Hamor <[email protected]>
                                                                           TIN

Note:

  I'm not sure whether or not information this has been previously released.
  I found this earlier this evening while poking around, and apologize if
  I've just found an old bug.

  I verified the existence of this bug in TIN 1.2PL2 UNIX.


Synopsis:

  A problem exists in TIN where the .tin_log file in /tmp/ is created mode
  666.  Although this file is usually created the first time a user runs TIN
  and doesn't get deleted, a problem develops if root or the owner of that
  file deletes it while cleaning up /tmp/.

  If /tmp/.tin_log is deleted, a symbolic link may now be put in its place
  and be used to create/modify/delete files the victim has write access to.

Exploit:

  hamors (3 21:00) litterbox:/tmp> ln -s ~root/.rhosts /tmp/.tin_log

Verification:

  This vulnerability has been tested on Linux Slackware 3.0 (1.2.13) with
  TIN 1.2PL2.

EOF

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.