This is the mail archive of the cygwin-xfree@cygwin.com mailing list for the Cygwin XFree86 project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Logfile symlink vulnerability


Eran Tromer wrote:
Harold L Hunt II wrote:

Eran Tromer wrote:

If /tmp/XWin.log is a symlink, XWin will merrily follow it and write
to whatever it's pointing to (see LogInit() in os/log.c). This allows
standard symlink-following attacks.

In theory, but have you actually tried it and confirmed that it works with two different users that did not already both have permissions to overwrite the file in question?


Yes, I did verify it.

With two distinct users, not in the same group, and with neither an administrator?


I just don't see how you could overwrite a file at all if you don't have premission on the underlying filesystem... what OS was this with? Were you using NTFS or FAT32? FAT32 could explain things... in which a user could overwrite a file anyway since FAT32 doesn't provide security, so protecting for this in XWin.exe would be pointless.

Please provide more details of your test.

Harold


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]