Ali Rahimi <[EMAIL PROTECTED]> typed:
:Hi. I just discovered the tty escape command 55 in rxvt.
:By echoing
: ^[]55;/tmp/log.txt^G
:to my tty, i can dump the content of the scrollback buffer to
:disk. that means that if i can manage to write something to root's
:rxvt, i could override /etc/passwd or any other file of importance.
:even if root doesn't have world writeable terminal, i can still
:make a file called /tmp/look-shes-naked.txt and root will cat it
:and frob /etc/passwd.
Except the file is opened O_CREAT | O_EXCL so if it already
exists it won't overwrite it.
Regards,
--
Geoff Wing : <[EMAIL PROTECTED]>
Rxvt Stuff : <[EMAIL PROTECTED]>
Zsh Stuff : <[EMAIL PROTECTED]>
