StarOffice /tmp Directory Symbolic Link Vulnerability
BID:1922
Info
StarOffice /tmp Directory Symbolic Link Vulnerability
| Bugtraq ID: | 1922 |
| Class: | Access Validation Error |
| CVE: |
CVE-2000-1156 |
| Remote: | No |
| Local: | Yes |
| Published: | Nov 08 2000 12:00AM |
| Updated: | Jul 11 2009 03:56AM |
| Credit: | This vulnerability was first announced by Christian <[email protected]> on November 8, 2000. |
| Vulnerable: |
Sun StarOffice 5.2 |
| Not Vulnerable: | |
Discussion
StarOffice /tmp Directory Symbolic Link Vulnerability
StarOffice is a productivity package designed designed to offer advanced word processing and business applications. A vulnerability exists which can allow users to read and write to restricted files belonging to users who run StarOffice.
The problem occurs in use of the /tmp directory. When a user starts the StarOffice application, the application creates the /tmp/soffice.tmp directory with permissions set to 0777. The application has also been observed changing the permissions to 0777 during operation. It is possible for a malicious user to symbolically link the /tmp/soffice.tmp directory to a directory or file owned by a user of StarOffice, thereby changing the permissions of the linked file or directory to 0777. This can result in an elevation of privileges for the attacker.
StarOffice is a productivity package designed designed to offer advanced word processing and business applications. A vulnerability exists which can allow users to read and write to restricted files belonging to users who run StarOffice.
The problem occurs in use of the /tmp directory. When a user starts the StarOffice application, the application creates the /tmp/soffice.tmp directory with permissions set to 0777. The application has also been observed changing the permissions to 0777 during operation. It is possible for a malicious user to symbolically link the /tmp/soffice.tmp directory to a directory or file owned by a user of StarOffice, thereby changing the permissions of the linked file or directory to 0777. This can result in an elevation of privileges for the attacker.
Exploit / POC
StarOffice /tmp Directory Symbolic Link Vulnerability
See discussion.
See discussion.
Solution / Fix
StarOffice /tmp Directory Symbolic Link Vulnerability
References
StarOffice /tmp Directory Symbolic Link Vulnerability
References:
References: