Bug 37771 - symlinks/vi allows creation of arbitrary files.
symlinks/vi allows creation of arbitrary files.
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: vim (Show other bugs)
7.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Karsten Hopp
David Lawrence
: Security
: 60338 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-04-26 07:02 EDT by Need Real Name
Modified: 2007-04-18 12:32 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-04-03 04:23:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2001-04-26 07:02:56 EDT
The .swp files from vi follow symlinks.

as User 1
bash$ cd /tmp;ln -s somefile .wahoo.swp
as User 2
bash# cd /tmp;vi /tmp/wahoo
:q
bash# ls -al /tmp/somefile
-rw-------    1 root     root         4096 Apr 26 22:56 somefile

crontab does a chdir("/tmp") before it loads the editor... 
if root edits his crontab file, then it would be possible to
create a file with anyname (that didn't already exist) as root anywhere on
the disk.

This, according to an email discussion with Bram Moolenaar
<Bram@moolenaar.net> this has been fixed in the latest version.

(crontab root shell exploit available on request)
Comment 1 Bernhard Rosenkraenzer 2001-04-26 11:51:17 EDT
We released an errata to address this a while ago.
Comment 2 Need Real Name 2001-04-26 12:38:59 EDT
I've looked at http://www.redhat.com/support/errata/rh7-errata.html for the
errata, but couldn't see anything to do with vim packages there.

I also checked ftp://ftp.redhat.com/pub/redhat/linux/updates/7.0/en/os/i386 for
updated versions of vim but the latest copy there is the same as I am using.

Could you tell me where the errata is?
Comment 3 Need Real Name 2001-07-01 08:37:50 EDT
Hello?
Again, I'm asking:
 If there was an errata for this, where is it?
 And if there was an errata for this, why is my Redhat 7.0 system, updated
 with up2date vulnerable?

Comment 4 Bill Huang 2002-06-16 23:03:05 EDT
*** Bug 60338 has been marked as a duplicate of this bug. ***
Comment 5 Karsten Hopp 2002-06-25 17:41:42 EDT
the current vim uses mktemp to create its tmp and swap files, therefore the filenames 
can't be guessed anymore.
Comment 6 Need Real Name 2002-08-26 07:25:51 EDT
Hi! 

Did you actually try the exploit listed on 

http://www.opennet.ru/base/exploits/993573483_269.txt.html

on redhat 7.0? Marking this as closed seems to be a little premature.

To the best of my knowledge (please correct me if I am wrong) RedHat 7.0 is 
still supported, and security errata are still published for it.

I tried the exploit listed a few minutes ago and it still works.

bash-2.04$ id
uid=500(evil) gid=500(evil) groups=500(evil)
bash-2.04$ ls -al /evil 
-rw-------    1 root     root        12288 Aug 26 23:16 /evil
bash-2.04$
Comment 7 Kjartan Maraas 2003-04-02 17:09:20 EST
Doesn't seem to be the case on RHL 9 any more.
Comment 8 Karsten Hopp 2003-04-03 04:23:36 EST
should be fixed in 7.x as well with the latest errata vim-6.1-18.7x.2 

Note You need to log in before you can comment on or make changes to this bug.