On 13 February 01, Geoff Wing wrote:
> :By echoing
> : ^[]55;/tmp/log.txt^G
> :to my tty, i can dump the content of the scrollback buffer to
> :disk. that means that if i can manage to write something to root's
> :rxvt, i could override /etc/passwd or any other file of importance.
>
> Except the file is opened O_CREAT | O_EXCL so if it already
> exists it won't overwrite it.
I don't think that's enough to make it safe, although it certainly
helps. There are lots of files that may not exist, but if they're
created under control of an attacker, there could be problems.
Off the top of my head: /etc/hosts.equiv; /root/.rhosts;
/root/.ssh/authorized_keys; /root/.bash_profile.
PGP signature
