[Full-Disclosure] Sharutils buggy?

From: Charles 'core' Stevenson (full-disclosure@lists.netsys.com)
Date: 07/16/02

From: full-disclosure@lists.netsys.com (Charles 'core' Stevenson)
Date: Mon, 15 Jul 2002 18:32:04 -0600

Actually it uses the full path.. at least on debian.. see previously
attached concept exploit. Of course I had to create a retarded mail
program that simply rand uudecode on the attachment. ;)


Roland Postle wrote:
> The problem seems to be that by default uudecode uses as the output filename
> the same filename used when the file was uuencoded. The fix is apparently to
> stop it following symbolic links. So an attacker couldn't uuencode with a
> filename that was in the /tmp directory. Then link the file in the tmp
> directory to whatever they wanted. My guess is you can't specify an absolute
> path (or ../) in the filename, and the assumption is that lots of people
> extract these files in the tmp directory where malicous symbolic links might
> reside.
> Regardless it's not a 'grave' security problem as some people have said. And
> no, Uuencode isn't (or shouldn't be) suid/sgid before you ask.
> - Blazde
> ----- Original Message -----
> From: "martin f krafft" <madduck@madduck.net>
> To: "full-disclosure people" <full-disclosure@lists.netsys.com>
> Sent: Tuesday, July 16, 2002 12:24 AM
> Subject: [Full-Disclosure] Sharutils buggy?
> _______________________________________________
> Full-Disclosure - We believe in it.
> Full-Disclosure@lists.netsys.com
> http://lists.netsys.com/mailman/listinfo/full-disclosure