Advisories : Joe's Own Editor File Link Vulnerability

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : Joe's Own Editor File Link Vulnerability

Title:	Joe's Own Editor File Link Vulnerability
Released by:	WKit Security AB
Date:	13th November 2000
Printable version:	Click here

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1





TITLE:          Joe's Own Editor File Link Vulnerability

ADVISORY ID:    WSIR-00/11-01

CONTACT:        Patrik Birgersson, Wkit Security AB

CLASS:          File Handling Error

OBJECT:         joe(1) (exec)

VENDOR:         Josef H. Allen

STATUS:         Vendor not reachable

REMOTE:         No

LOCAL:          Yes

DATE:           13/11/2000

VULNERABLE:     Joe's Own Editor 2.8

                Other versions/configurations not tested





VULNERABILITY DESCRIPTION

If a joe session with an unsaved file terminates abnormally, joe creates a

rescue copy of the file being edited called DEADJOE. The creation of this

rescue copy is made without checking if the file is a link. If it is a

link, joe will append the information in the unsaved file to the file that

is being linked to DEADJOE, resulting in a corrupted file.





CONDITIONS

1. The malicious user must have write permissions in the directory where

   the file is being edited, in order to create a link

2. The 'victim user' must have write permissions for the 'victim file'

3. The 'victim user' joe session must terminate abnormally

4. The file being edited must not have been saved





VULNERABILITY EXAMPLE

- - Root is logged in remote

- - Malicious user (X) notices that root is editing file.txt in /tmp

  (where X has write permissions)

- - X creates a link from /etc/passwd (root = write permission) to

  /tmp/DEADJOE

- - Root's connection is dropped or terminated under abnormal conditions

  (for example: root halts the system) before file.txt is saved, the

  editor will write a rescue copy to /tmp/DEADJOE

- - The editor won't check if /tmp/DEADJOE is a link, and appends the

  content of file.txt to /etc/passwd





SOLUTION/VENDOR INFORMATION/WORKAROUND

No information available.





CREDITS

This vulnerability was discovered and documented by Christer Öberg and

Patrik Birgersson of Wkit Security AB, Håverud, Sweden.



Other advisories from Wkit Security AB can be obtained from:

http://www.wkit.com/advisories/





DISCLAMER

The contents of this advisory is copyright (c) 2000 Wkit Security AB and

may be distributed freely, provided that no fee is charged and proper

credit is given. Wkit Security AB takes no credit for this discovery if

someone else has published this information in the public domain before

this advisory was released.

The information herein is intended for educational purposes, not for

malicious use. Wkit Security AB takes no responsibility whatsoever for the

use of this information.





ABOUT THE COMPANY

Wkit Security AB is an independent data security company working with

security-related services and products. Wkit Security AB plays a leading

role in the development of security thinking, regarding internal and

external data communication at companies and other organizations that

store sensitive information.

The company consists of two divisions: a service division, performing

security analysis and security reviews, and a product division. We work

together with strategic partners to bring programs and services into the

market.

Our services and products are continuously developed to optimally follow

the world demand for IT security.





30 DAY DISCLOSURE

Whenever Wkit Security AB finds any security related flaws in operating

system, or application, we will provide the vendor responsible for the

product with a detailed Incident Report. We believe that 30 days is

appropriate for the vendor to fix the problem before we publish the

incident report on our own web page and other mailing lists/websites we

find suitable for the majority of the worldwide users. If the vendor has a

reasonable cause why they can't fix the problem in 30 days we can, after

discussion, agree on a longer disclosure time.





ACKNOWLEDGEMENTS

Wkit Security AB's highest priority is for the public security, and will

never release Incidents Reports without informing the vendor and give them

reasonable (30 day) time to fix the problem. In general, Wkit Security AB

follows the guidelines for reporting security breaches we found on the

vendors homepage or similar.

We urge vendors that in the same way we follow their guidelines, that the

vendor informs us about the solution; if possible, 2 days before the

fix/solution will be presented for the majority. This gives us the chance

to prepare our web page to inform about the Incident and to present a

solution in the way the vendor suggest at the time when it is present for

the majority.





CONTACT

Wkit Security AB should be contacted through advisories@wkit.com if no

other agreement has been done. Every incident report is assigned a report

number WSIR-xx/xx-xx (Wkit Security AB Incident Report) and one

responsible contact person from Wkit Security. When communicating with

Wkit Security AB in the matter of the Incident Reports, be sure to add the

WSIR number in the email to avoid any problems.





***************************************************************************

Wkit Security AB

Upperudsvägen 4

S-464 72 Håverud

SWEDEN



http://www.wkit.com

e-mail: advisories@wkit.com

***************************************************************************





-----BEGIN PGP SIGNATURE-----

Version: PGP 7.0



iQA/AwUBOhJlSW7fLJob6xkXEQJgpACfSP5fzZWft5antg+DdXMdYcAOVSQAoKN/

lhge4y3XCAroyWUA004N/acM

=LYU/

-----END PGP SIGNATURE-----