[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : J-Pilot Permissions Vulnerability

Title: J-Pilot Permissions Vulnerability
Released by: Weston Pawlowski
Date: 14th December 2000
Printable version: Click here
J-Pilot automatically creates a ".jpilot"

directory in the user's home directory to store

preferences and backed up PalmOS device data. The

permissions for this directory are mode 755, and

files in the directory are mode 644; this allows

anyone with only minimal access to the user's home

directory to also access thier PalmOS device's

backup data, including private records.



Because ".jpilot" is often hidden due to the

leading '.', this insecurity is often unnoticed.

This is a big concern for J-Pilot users because it

is common for home directories to be world

executable, often due to a "public_html" directory

for HTTP content which requires the user's home

directory to be at least world executable.



So in summary, if there is a user named "joe" who

uses J-Pilot, any user on the system could type

"cd +AH4-joe/.jpilot" and read all of joe's PalmOS

data including private records. This is dependant

on joe's home directory being world executable or

not, but it often is.



The good news is that it's probably not very

common for someone to sync their PalmOS device on

a system that many, if any, other people have

shell access to. But, if this situation does

happen, the vulnerable user is likely to be the

owner of the machine (since he has to be local),

and there's the possibility that he may keep a

password list on his PalmOS device. In which case,

any user could get the system admin's passwords,

which obviously may include the system's root

password.



The fix is to simply type "chmod 700 +AH4-/.jpilot"



-Weston








(C) 1999-2000 All rights reserved.