Date: Thu, 23 Nov 2000 21:59:17 -0500 (EST) From: Trevor Johnson <trevor@jpj.net> To: security@freebsd.org Cc: toasty@dragondata.com Subject: Joe's Own Editor File Link Vulnerability (fwd) Message-ID: <Pine.BSI.4.21.0011232145390.2220-100000@blues.jpj.net>
next in thread | raw e-mail | index | archive | help
I've gotten no response to the appended message. I installed joe from the current ports collection, a few minutes ago, and was able to confirm the bug. The Linux people (Red Hat, Immunix, Mandrake, and Debian) have released patched versions, but I haven't looked at their patches. Would it be all right if I marked the port forbidden (mentioning http://www.securityfocus.com/archive/1/145305), until the maintainer becomes available? -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt ---------- Forwarded message ---------- Date: Thu, 16 Nov 2000 23:57:07 -0500 (EST) From: Trevor Johnson <trevor@jpj.net> To: toasty@dragondata.com Subject: Joe's Own Editor File Link Vulnerability (fwd) ---------- Forwarded message ---------- Date: Thu, 16 Nov 2000 09:27:13 +0100 From: advisories@WKIT.COM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Joe's Own Editor File Link Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 TITLE: Joe's Own Editor File Link Vulnerability ADVISORY ID: WSIR-00/11-01 CONTACT: Patrik Birgersson, Wkit Security AB CLASS: File Handling Error OBJECT: joe(1) (exec) VENDOR: Josef H. Allen STATUS: Vendor not reachable REMOTE: No LOCAL: Yes DATE: 13/11/2000 VULNERABLE: Joe's Own Editor 2.8 Other versions/configurations not tested VULNERABILITY DESCRIPTION If a joe session with an unsaved file terminates abnormally, joe creates a rescue copy of the file being edited called DEADJOE. The creation of this rescue copy is made without checking if the file is a link. If it is a link, joe will append the information in the unsaved file to the file that is being linked to DEADJOE, resulting in a corrupted file. CONDITIONS 1. The malicious user must have write permissions in the directory where the file is being edited, in order to create a link 2. The 'victim user' must have write permissions for the 'victim file' 3. The 'victim user' joe session must terminate abnormally 4. The file being edited must not have been saved VULNERABILITY EXAMPLE - - Root is logged in remote - - Malicious user (X) notices that root is editing file.txt in /tmp (where X has write permissions) - - X creates a link from /etc/passwd (root = write permission) to /tmp/DEADJOE - - Root's connection is dropped or terminated under abnormal conditions (for example: root halts the system) before file.txt is saved, the editor will write a rescue copy to /tmp/DEADJOE - - The editor won't check if /tmp/DEADJOE is a link, and appends the content of file.txt to /etc/passwd SOLUTION/VENDOR INFORMATION/WORKAROUND No information available. CREDITS This vulnerability was discovered and documented by Christer Öberg and Patrik Birgersson of Wkit Security AB, Håverud, Sweden. Other advisories from Wkit Security AB can be obtained from: http://www.wkit.com/advisories/ DISCLAMER The contents of this advisory is copyright (c) 2000 Wkit Security AB and may be distributed freely, provided that no fee is charged and proper credit is given. Wkit Security AB takes no credit for this discovery if someone else has published this information in the public domain before this advisory was released. The information herein is intended for educational purposes, not for malicious use. Wkit Security AB takes no responsibility whatsoever for the use of this information. ABOUT THE COMPANY Wkit Security AB is an independent data security company working with security-related services and products. Wkit Security AB plays a leading role in the development of security thinking, regarding internal and external data communication at companies and other organizations that store sensitive information. The company consists of two divisions: a service division, performing security analysis and security reviews, and a product division. We work together with strategic partners to bring programs and services into the market. Our services and products are continuously developed to optimally follow the world demand for IT security. 30 DAY DISCLOSURE Whenever Wkit Security AB finds any security related flaws in operating system, or application, we will provide the vendor responsible for the product with a detailed Incident Report. We believe that 30 days is appropriate for the vendor to fix the problem before we publish the incident report on our own web page and other mailing lists/websites we find suitable for the majority of the worldwide users. If the vendor has a reasonable cause why they can't fix the problem in 30 days we can, after discussion, agree on a longer disclosure time. ACKNOWLEDGEMENTS Wkit Security AB's highest priority is for the public security, and will never release Incidents Reports without informing the vendor and give them reasonable (30 day) time to fix the problem. In general, Wkit Security AB follows the guidelines for reporting security breaches we found on the vendors homepage or similar. We urge vendors that in the same way we follow their guidelines, that the vendor informs us about the solution; if possible, 2 days before the fix/solution will be presented for the majority. This gives us the chance to prepare our web page to inform about the Incident and to present a solution in the way the vendor suggest at the time when it is present for the majority. CONTACT Wkit Security AB should be contacted through advisories@wkit.com if no other agreement has been done. Every incident report is assigned a report number WSIR-xx/xx-xx (Wkit Security AB Incident Report) and one responsible contact person from Wkit Security. When communicating with Wkit Security AB in the matter of the Incident Reports, be sure to add the WSIR number in the email to avoid any problems. *************************************************************************** Wkit Security AB Upperudsvägen 4 S-464 72 Håverud SWEDEN http://www.wkit.com e-mail: advisories@wkit.com *************************************************************************** -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOhJlSW7fLJob6xkXEQJgpACfSP5fzZWft5antg+DdXMdYcAOVSQAoKN/ lhge4y3XCAroyWUA004N/acM =LYU/ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSI.4.21.0011232145390.2220-100000>