Mac OS X before 10.3 with core files enabled allows local users to overwrite arbitrary files and read core files via a symlink attack on core files that are created with predictable names in the /cores directory.