recoverjpeg
const char *buffer = file_name(dir_format, file_format, begin_index + i);
i++;
if (verbose) {
printf("%s %ld bytes\n", buffer, (long) size);
}
fdout = open(buffer, O_WRONLY | O_CREAT, 0666);
if (fdout < 0) {
fprintf(stderr, "Unable to open %s for writing\n", buffer);
exit(1);
}
...
Writes to an output file (e.g., image00000.jpg) and doesn't check for it being a symlink - hence an attacker could create a symlink pointing to a privileged file that the person running recoverjpeg has write access to. This is mitigated in /tmp /var/tmp by the Linux kernel, but it's still a bug.
Exploiting the Lorex 2K Indoor Wifi at Pwn2Own Ireland
Introduction In October InfoSect participated in Pwn2Own Ireland 2024 and successfully exploited the Sonos Era 300 smart speaker and Lor...
-
InfoSect has always been committed to fostering diversity and inclusion within the cybersecurity industry, with a special focus on encourag...
-
Summary This is the next part of the C++ memory corruption series*. In this post, we'll look at corrupting the std:string object in L...
-
Syed Faraz Abrar @farazsth98 Summary In this blog post, I will provide some details on how the Chromium developers implemente...
