The .swp files from vi follow symlinks. as User 1 bash$ cd /tmp;ln -s somefile .wahoo.swp as User 2 bash# cd /tmp;vi /tmp/wahoo :q bash# ls -al /tmp/somefile -rw------- 1 root root 4096 Apr 26 22:56 somefile crontab does a chdir("/tmp") before it loads the editor... if root edits his crontab file, then it would be possible to create a file with anyname (that didn't already exist) as root anywhere on the disk. This, according to an email discussion with Bram Moolenaar <Bram> this has been fixed in the latest version. (crontab root shell exploit available on request)
We released an errata to address this a while ago.
I've looked at http://www.redhat.com/support/errata/rh7-errata.html for the errata, but couldn't see anything to do with vim packages there. I also checked ftp://ftp.redhat.com/pub/redhat/linux/updates/7.0/en/os/i386 for updated versions of vim but the latest copy there is the same as I am using. Could you tell me where the errata is?
Hello? Again, I'm asking: If there was an errata for this, where is it? And if there was an errata for this, why is my Redhat 7.0 system, updated with up2date vulnerable?
*** Bug 60338 has been marked as a duplicate of this bug. ***
the current vim uses mktemp to create its tmp and swap files, therefore the filenames can't be guessed anymore.
Hi! Did you actually try the exploit listed on http://www.opennet.ru/base/exploits/993573483_269.txt.html on redhat 7.0? Marking this as closed seems to be a little premature. To the best of my knowledge (please correct me if I am wrong) RedHat 7.0 is still supported, and security errata are still published for it. I tried the exploit listed a few minutes ago and it still works. bash-2.04$ id uid=500(evil) gid=500(evil) groups=500(evil) bash-2.04$ ls -al /evil -rw------- 1 root root 12288 Aug 26 23:16 /evil bash-2.04$
Doesn't seem to be the case on RHL 9 any more.
should be fixed in 7.x as well with the latest errata vim-6.1-18.7x.2