WordPerfect 7 filepermission problems

Summary

Description:	Apparently WordPerfect 7 has serious problems with regard to permissions on the files it creates in users directories. It will also follow symlinks when creating them.
Author:	Hans Petter Bieker <hanspb@PERSBRATEN.VGS.NO>
Compromise:	break into a users account or clobber their files (user could potentially be root )
Vulnerable Systems:	Linux boxes running WordPerfect 7 (possibly other *NIXes)
Date:	15 December 1997

Details


Date: Mon, 15 Dec 1997 19:29:18 +0100
From: Hans Petter Bieker <hanspb@PERSBRATEN.VGS.NO>
To: BUGTRAQ@NETSPACE.ORG
Subject: Word Perfect for Linux v7.0.0116

This is my first bugtraq message. I'm not sure how to put it together, but
I'll try:

word perfect creates a directory in tmp when you start it up:

$ ls -ld wpc-zerium.newmedia.no/
drwxrwxrwx   2 hanspbie hanspbie     1024 Dec 15 18:59 wpc-your.host.name/

where your.host.name is your hostname. As you see every body has write
permission to this directory. Word Perfect also creates some nice
files:


$ ls -al wpc-zerium.newmedia.no/
total 6
drwxrwxrwx   2 hanspbie hanspbie     1024 Dec 15 19:02 .
drwxrwxrwt   5 root     root         1024 Dec 15 19:00 ..
-rw-rw-rw-   1 hanspbie hanspbie      324 Dec 15 18:59 /home/hanspbie/.rhosts
-rw-rw-rw-   1 hanspbie hanspbie        0 Dec 15 18:59 _WP__0000001644a_
prw-rw-rw-   1 hanspbie hanspbie        0 Dec 15 18:59 excmsg7
-rw-rw-rw-   1 hanspbie hanspbie      146 Dec 15 18:56 unix.def
-rw-rw-rw-   1 hanspbie hanspbie       40 Dec 15 18:56 wpprint.err
-rw-rw-rw-   1 hanspbie hanspbie       65 Dec 15 18:56 wpq7_0
-rw-rw-rw-   1 hanspbie hanspbie       65 Dec 15 18:56 wpq7_65535

if you removes one of the files and creates a symlink to e.g. a word
perfect users rhosts file it will make a .rhosts file with permission
666!!

$ ls -l .wpexc7.man
lrwxrwxrwx   1 weber    weber          22 Dec 15 18:59 .wpexc7.man -> /home/hanspbie/.rhosts

$ ls -la .rhosts
-rw-rw-rw-   1 hanspbie hanspbie      324 Dec 15 18:59 /home/hanspbie/.rhosts

word perfect doesn't touch permission if the file allready exists, but the
file contents will be replaces with something like this:
$ cat .rhosts
your-path-to-WP7/shbin10/tmp/wpc-your.host.name/excmsg7m


in.rlogind in Redhat v4.2 doesn't check permission on the .rhosts file.

--
 Linux; 64bit, multi-platform, multi-tasking, multi-user, fast and Free.
UNIX was not designed to stop you from doing stupid things, because that
would also stop you from doing clever things.
                -- Doug Gwyn

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: