Mark wrote:
> Well, if the admin had clamav's ~/.bashrc world-writeable, then that would
> indeed be quite an oversight. :)
Someone can correct me if I'm wrong, but I believe the idea here would 
be to trick *clamav itself* into writing to its ~/.bashrc by setting up 
a symbolic link in a predictable, world-writable location.

The scenario would be this:
1. Target file is locked down.
2. App with necessary privileges will write data to a predictable 
location that is *not* locked down.
3. Attacker creates a symlink in that location so that the privileged 
app will inadvertently overwrite the target file.
4. Attacker can either enjoy the chaos, or attempt to manipulate just 
what the privileged app will write.

-- 
Kelson Vibber
SpeedGate Communications <www.speed.net>
_______________________________________________
Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net
http://lurker.clamav.net/list/clamav-users.html

Reply via email to