[ http://www.rootshell.com/ ]

Date:         Mon, 8 Jun 1998 17:31:36 +0300
From:         Stefan Laudat <ninja@MS54.PROTV.RO>
Subject:      Security flaw in Accelerated-X 4.1

I don't know if this was posted before, please accept my appologies if so.
Seems like the guys at XiG forgot the meaning of /tmp security ... The main
problem is that the Install program of the AcceleratedX package logs all in
a file named /tmp/Install.log. So, every user knowing that Mr ReWT is going
to install this X server on his box can overwrite any file on the system.
The procedure is very simple: ln -s /etc/shadow /tmp/Install.log Oh, some of
you may tell me : "What if AcceleratedX is already installed?". There is
also an Uninstall.log =-> I think the /tmp/Xaccel.ini is also the temporary
file for new configurations, so wait for the root to change something and
KAB00M! :)) I am too lazy to cc this to the guys at XiG so please do it if
you want.

---

Stefan Laudat aka Ninja
pager: 2233789 / 4105
ninja@protv.ro
IRC = Ninja || SSL || Kayden
http://www.cpc.pub.ro/~ssl
--------------------------------
"Use."