[Full-Disclosure] Sharutils buggy?

From: Charles 'core' Stevenson (full-disclosure@lists.netsys.com)
Date: 07/16/02


From: full-disclosure@lists.netsys.com (Charles 'core' Stevenson)
Date: Mon, 15 Jul 2002 18:32:04 -0600

Actually it uses the full path.. at least on debian.. see previously
attached concept exploit. Of course I had to create a retarded mail
program that simply rand uudecode on the attachment. ;)

peace,
core

Roland Postle wrote:
> The problem seems to be that by default uudecode uses as the output filename
> the same filename used when the file was uuencoded. The fix is apparently to
> stop it following symbolic links. So an attacker couldn't uuencode with a
> filename that was in the /tmp directory. Then link the file in the tmp
> directory to whatever they wanted. My guess is you can't specify an absolute
> path (or ../) in the filename, and the assumption is that lots of people
> extract these files in the tmp directory where malicous symbolic links might
> reside.
>
> Regardless it's not a 'grave' security problem as some people have said. And
> no, Uuencode isn't (or shouldn't be) suid/sgid before you ask.
>
> - Blazde
>
> ----- Original Message -----
> From: "martin f krafft" <madduck@madduck.net>
> To: "full-disclosure people" <full-disclosure@lists.netsys.com>
> Sent: Tuesday, July 16, 2002 12:24 AM
> Subject: [Full-Disclosure] Sharutils buggy?
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure
>
>



Relevant Pages

  • [Full-Disclosure] Sharutils buggy?
    ... > the same filename used when the file was uuencoded. ... > extract these files in the tmp directory where malicous symbolic links might ... Uuencode isn't suid/sgid before you ask. ...
    (Full-Disclosure)
  • [Full-Disclosure] Sharutils buggy?
    ... > the same filename used when the file was uuencoded. ... > extract these files in the tmp directory where malicous symbolic links might ... Uuencode isn't suid/sgid before you ask. ...
    (Full-Disclosure)
  • [Full-Disclosure] Sharutils buggy?
    ... > the same filename used when the file was uuencoded. ... > extract these files in the tmp directory where malicous symbolic links might ... Uuencode isn't suid/sgid before you ask. ...
    (Full-Disclosure)
  • [Full-Disclosure] Sharutils buggy?
    ... The problem seems to be that by default uudecode uses as the output filename ... extract these files in the tmp directory where malicous symbolic links might ... Uuencode isn't suid/sgid before you ask. ...
    (Full-Disclosure)
  • [Full-Disclosure] Sharutils buggy?
    ... The problem seems to be that by default uudecode uses as the output filename ... extract these files in the tmp directory where malicous symbolic links might ... Uuencode isn't suid/sgid before you ask. ...
    (Full-Disclosure)