XInet K-AShare XKAS Program World Writable Icon Directory Vulnerability

K-AShare is a file sharing system designed to allow Apple Macintosh and Unix systems to share resources. It is maintained and distributed by Xinet.

A default installation of K-AShare installs an icon directory used by the system with insecure permissions. One of the files in this directory, 'VOLICON', is copied to a directory being shared by an administrator through the 'xkas' GUI utility. As a result of the icon directory permissions, a local user could remove the VOLICON file and create a symbolic link to an unreadable file such as '/etc/shadow'. When the superuser executes the xkas program and shares a directory, the '/etc/shadow' file would be copied to the shared directory as file '.HSicon' with world-readable permissions.


Privacy Statement
Copyright 2010, SecurityFocus