CVE-2005-1396

A local user can exploit this vulnerability by creating a symbolic link to the ce_edit_log temporary file before the Ce/Ceterm program creates it. The exploit code then manipulates the DISPLAY environment variable to prevent the program from dropping privileges, causing it to write to the symbolic link instead of the intended temporary file. This allows the attacker to overwrite arbitrary files, such as /etc/ld.so.preload, with malicious content [ref_id=1].

The vulnerability lies within the Ce/Ceterm program, specifically in how it handles the creation and writing to the `/tmp/ce_edit_log` temporary file. The exploit code targets the `system("/usr/bin/ce");` call and the `symlink(PRELOAD,"/tmp/ce_edit_log");` function, indicating these are the critical points of failure [ref_id=1].

The advisory does not specify a patch or provide details on how the vulnerability is fixed. However, it is generally recommended to update to a non-vulnerable version of the software. The exploit code demonstrates that the vulnerability is related to the program's handling of temporary files and privilege dropping mechanisms [ref_id=1].

The provided reference write-up includes code that demonstrates the exploit, including steps to create a malicious shared object and overwrite `/etc/ld.so.preload` [ref_id=1].