X-RDate: Mon, 23 Feb 1998 10:19:56 +0500 (ESK)
Date: Fri, 20 Feb 1998 13:14:26 +0100
From: =?UNKNOWN-8BIT?Q?Micha=B3?= Zalewski <[email protected]>
To: [email protected]Subject: Fw: tetex-0.4pl8 world-writable database
BRIEFING: tetex-0.4pl8 package (and previous ones) includes
world-writable/readable database file, /usr/lib/texmf/texmf/ls-R.
ls-R stores locations of TeX scripts to speed-up access. In trusted
environment, user may add his own components, fonts, etc, and list
them there. Otherwise this file seems to be mostly harmless, so
ls-R database has mode 666 in standard TeX distributions.
Hmmm, but it isn't quite harmless... One of paths listed in this file
may be modified a little, and then TeX will read our evil script instead
of original one... TeX language is quite powerful, so modified script
may do almost anything with processed document, or even access files
on victim's account:
-- lame_example.ltx --
\begin{filecontents}{NotFunnyFile}
Just An Useless Example
\end{filecontents}
-- eof --
EXPLOIT: Nothing at this time, there's no reason to write it.
FIX: chmod 644 /usr/lib/texmf/texmf/ls-R, or, if possible, chattr to
append-only. If you're unsure if your ld-R has been already modified
- rebuild it. Note, ls-R is root-owned, so it's stupid to leave it
world-writable, even in append-only mode - anyone may execute
cp /dev/zero>>ls-R...
_______________________________________________________________________
Micha³ Zalewski [tel 9690] | finger 4 PGP [[email protected]]
Iterowaæ jest rzecz± ludzk±, wykonywaæ rekursywnie - bosk± [P. Deustch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=
