Corel Word Perfect 8 for Linux creates a temporary working directory with world-writable permissions, which allows local users to (1) modify Word Perfect behavior by modifying files in the working directory, or (2) modify files of other users via a symlink attack.
Corel WordPerfect 8 for Linux suffers from a critical vulnerability allowing local users to gain unauthorized access and control. The flaw stems from the creation of a world-writable temporary directory, enabling attackers to modify application behavior or manipulate other users' files, potentially leading to privilege escalation and data compromise.
Step 1: Identify the Temporary Directory: The attacker needs to determine the location of the world-writable temporary directory created by WordPerfect 8. This is likely a standard temporary directory like /tmp or a subdirectory within the user's home directory, but the exact location needs to be confirmed through reverse engineering or by observing the application's behavior.
Step 2: Symlink Creation (if applicable): The attacker creates a symbolic link (symlink) in the temporary directory. The symlink points to a target file that the attacker wants to modify (e.g., a configuration file, a user's .bashrc).
Step 3: Trigger WordPerfect Action: The attacker triggers an action within WordPerfect that causes the application to write to a file within its temporary directory. This could be opening a document, saving a file, or performing any operation that involves file I/O.
Step 4: File Overwrite: Because of the symlink, the write operation is redirected to the target file. The attacker can now overwrite or modify the target file, potentially gaining control of the user's account or system.
Step 5: Behavior Modification (alternative): If the attacker knows the files WordPerfect uses in the temporary directory, they can modify them to change the application's behavior. For example, they might replace a configuration file with a malicious version that executes arbitrary code.
The vulnerability arises from a design flaw in Corel WordPerfect 8 for Linux. The application creates a temporary working directory with permissions set to 777 (world-writable). This means any user on the system can read, write, and execute files within this directory. The root cause is a failure to properly restrict access to this temporary space. This lack of access control allows for two primary attack vectors: (1) Modification of files within the temporary directory to alter WordPerfect's behavior, potentially leading to code execution within the application's context. (2) A symlink attack, where a malicious user creates a symbolic link pointing to a sensitive file owned by another user (e.g., a configuration file). When WordPerfect writes to a file in its temporary directory, the write operation is redirected to the target file via the symlink, allowing the attacker to overwrite or modify it. This is a classic example of an insecure default configuration leading to a privilege escalation scenario.