|
Vulnerability pico Affected pico 3.7 Description Following is based on a Wkit Security Avisory WSIR-00/11-02 by Christer Oberg and Patrik Birgersson. Upon abnormal exit, the text editor saves any changes made to the file being edited into a new file in the current working directory labeled filename.save (where filename will correspond to the name of the file being edited, e.g. test.txt will be saved as test.txt.save). When saving this file, the text editor does not check for the file type. A user editing a file in a directory writable by others could be subject to having other files written to if a malicious user were to symbollically link the filename.save file to one of owner/group write access of the user. This would result in the contents of the pico session being written to the symbolically linked file. Conditions: 1. The malicious user must have write permissions in the directory where the file is being edited, in order to create a link. 2. The 'victim user' must have write permissions for the 'victim file'. 3. The 'victim user' pico session must terminate abnormally. 4. The file being edited must not have been saved Vulnerability example: * Root is logged in remote * Malicious user (foo) notices that root is editing file.txt in /tmp (where foo has write permissions) * foo creates a link from /etc/passwd (root = write permission) to /tmp/filename.save * Root's connection is dropped or terminated under abnormal conditions (for example: root halts the system) before file.txt is saved, the editor will write a rescue copy to /tmp/ filename.save * The editor won't check if /tmp/ filename.save is a link, and overwrites /etc/passwd with the content of file.txt. Solution No information available.