Red Hat Bugzilla – Bug 37771
symlinks/vi allows creation of arbitrary files.
Last modified: 2007-04-18 12:32:52 EDT
The .swp files from vi follow symlinks.
as User 1
bash$ cd /tmp;ln -s somefile .wahoo.swp
as User 2
bash# cd /tmp;vi /tmp/wahoo
bash# ls -al /tmp/somefile
-rw------- 1 root root 4096 Apr 26 22:56 somefile
crontab does a chdir("/tmp") before it loads the editor...
if root edits his crontab file, then it would be possible to
create a file with anyname (that didn't already exist) as root anywhere on
This, according to an email discussion with Bram Moolenaar
<Bram@moolenaar.net> this has been fixed in the latest version.
(crontab root shell exploit available on request)
We released an errata to address this a while ago.
I've looked at http://www.redhat.com/support/errata/rh7-errata.html for the
errata, but couldn't see anything to do with vim packages there.
I also checked ftp://ftp.redhat.com/pub/redhat/linux/updates/7.0/en/os/i386 for
updated versions of vim but the latest copy there is the same as I am using.
Could you tell me where the errata is?
Again, I'm asking:
If there was an errata for this, where is it?
And if there was an errata for this, why is my Redhat 7.0 system, updated
with up2date vulnerable?
*** Bug 60338 has been marked as a duplicate of this bug. ***
the current vim uses mktemp to create its tmp and swap files, therefore the filenames
can't be guessed anymore.
Did you actually try the exploit listed on
on redhat 7.0? Marking this as closed seems to be a little premature.
To the best of my knowledge (please correct me if I am wrong) RedHat 7.0 is
still supported, and security errata are still published for it.
I tried the exploit listed a few minutes ago and it still works.
uid=500(evil) gid=500(evil) groups=500(evil)
bash-2.04$ ls -al /evil
-rw------- 1 root root 12288 Aug 26 23:16 /evil
Doesn't seem to be the case on RHL 9 any more.
should be fixed in 7.x as well with the latest errata vim-6.1-18.7x.2