Source: cve@mitre.org
Corel Word Perfect 8 for Linux creates a temporary working directory with world-writable permissions, which allows local users to (1) modify Word Perfect behavior by modifying files in the working directory, or (2) modify files of other users via a symlink attack.
Corel WordPerfect 8 for Linux is vulnerable to a local privilege escalation attack. This vulnerability allows attackers to modify the behavior of the application or potentially gain unauthorized access to other user's files due to the creation of a world-writable temporary directory. Successful exploitation could lead to data compromise and system instability.
Step 1: Identify the Target: The attacker identifies a user with access to Corel WordPerfect 8 for Linux.
Step 2: Access the System: The attacker gains local access to the vulnerable system, either through a compromised account or physical access.
Step 3: Locate the Temporary Directory: The attacker identifies the location of the world-writable temporary directory created by WordPerfect. This is likely a standard temporary directory like /tmp or a subdirectory within the user's home directory, or a directory specific to the application.
Step 4: Symlink Attack (Option 1): The attacker creates symbolic links within the temporary directory that point to sensitive files owned by other users (e.g., configuration files, password files, or other documents). When WordPerfect accesses these files, it will follow the symlinks and potentially overwrite or read the targeted files.
Step 5: File Modification Attack (Option 2): The attacker places malicious files within the temporary directory. These files are then used to modify the behavior of Word Perfect, potentially leading to arbitrary code execution or information disclosure.
Step 6: Trigger WordPerfect Action: The attacker triggers an action within WordPerfect that causes it to interact with the files in the temporary directory. This could be opening a document, saving a file, or any other operation that uses the temporary directory.
Step 7: Exploitation: WordPerfect interacts with the attacker-controlled files or follows the attacker-created symlinks, leading to the desired outcome (e.g., data modification, information disclosure, or code execution).
The vulnerability stems from a design flaw in Corel WordPerfect 8 for Linux where a temporary working directory is created with world-writable permissions (0777). This means any user on the system can write to this directory. The application likely uses this directory for temporary files, configuration, or other working data. The flaw allows for two primary exploitation vectors: (1) modifying files within the working directory to alter WordPerfect's behavior, potentially leading to arbitrary code execution or information disclosure; and (2) creating symbolic links (symlinks) within the working directory to point to other user's files. When WordPerfect interacts with files through these symlinks, it could be tricked into reading or writing to unintended locations, allowing an attacker to overwrite or read sensitive data. The root cause is a failure to implement proper access controls on the temporary directory, a fundamental security principle.
Due to the age of the vulnerability and the specific software, it is unlikely to be directly targeted by sophisticated APTs. However, the techniques used in the exploit (symlink attacks, world-writable directories) are common and could be used by less sophisticated actors. This vulnerability is not listed in the CISA KEV catalog.
Monitor file system activity for the creation of symbolic links in temporary directories, especially those owned by the WordPerfect process.
Analyze system logs for suspicious file access patterns related to WordPerfect, such as unexpected reads or writes to sensitive files.
Implement file integrity monitoring to detect changes to critical system files or configuration files that could be targeted by symlink attacks.
Use process monitoring tools to identify any unusual behavior by the WordPerfect process, such as excessive file I/O or network connections.
Review the permissions of temporary directories and ensure they are not world-writable.
Upgrade to a more recent version of Corel WordPerfect, if available, or a different word processing software. This is the primary and most effective remediation.
If upgrading is not possible, restrict access to the temporary directory used by WordPerfect. This can be achieved by changing the directory's permissions to be owned by the user running WordPerfect and only accessible by that user (e.g., 0700).
Implement file integrity monitoring to detect any unauthorized changes to system files or configuration files.
Regularly audit system logs for suspicious activity.
Educate users about the risks of opening or interacting with untrusted files, especially those from external sources.