Bugtraq mailing list archives
Vunerable shell scripts
From: lcamtuf () BOSS STASZIC WAW PL (Michal Zalewski)
Date: Sat, 14 Mar 1998 17:57:33 +0100
I made a list of /usr/bin scripts which allows /tmp races. Following ones creates /tmp/something.$$, then, with no permission/ownership checking, /tmp/something.$$.x (x may vary ;), or even performs suitable checks, but gives enough time to alter /tmp contents: glibcbug, bashbug, znew, mailstat, autoupdate, x11perfcomp, gccmakedep, pnmindex, xcopy, autoheader, cvsbug, rcs2log, updatedb, igawk, zdiff, zcmp, findaffix, munchlist, report-kaffe-bug, mailshar, MakeTeXPK, makeindex, texhash, ircbug [...] This list has been made on RedHat 5.0 Linux distribution. It includes only /bin/sh scripts and it isn't complete, but maybe it will show the range of /tmp races problem. Simple TMPFILE=/tmp/myproggy.$$ trap "rm -f $TMPFILE;exit 1" 1 2 ... [...] do_something >$TMPFILE is not sufficient and may be extremally harmful!!! You should at least use mktemp to create temporary files, or|and prevent from creating anything in /tmp directly. _______________________________________________________________________ Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf () boss staszic waw pl] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch] =--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=
Current thread:
- Re: Possible Bug in CDE on HP-UX, (continued)
- Re: Possible Bug in CDE on HP-UX Jeremy Brinkley (Mar 10)
- Re: the purpose of dynamic memory allocation David LeBlanc (Mar 10)
- Re: the purpose of dynamic memory allocation Jeffrey Hutzelman (Mar 10)
- Re: the purpose of dynamic memory allocation Alan Cox (Mar 11)
- DoS (and possibly more) on MDaemon for NT/95 Alvaro Martinez Echevarria (Mar 10)
- MDaemon SMTP Server Buffer Overflow's Aleph One (Mar 10)
- Security problem in Slackware. Suman_Saraf (Mar 11)
- Re: Security problem in Slackware. Peter van Dijk (Mar 13)
- /tmp event logger Michal Zalewski (Mar 14)
- Re: /tmp event logger Theo de Raadt (Mar 15)
- Vunerable shell scripts Michal Zalewski (Mar 14)
- More broadcast fun T. Freak (Mar 14)
- Midnight Commander /tmp race Michal Zalewski (Mar 15)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 17)
- Re: Midnight Commander /tmp race willy () SNOWYOWL CSU AC RU (Mar 17)
- Re: Midnight Commander /tmp race Pavel Kankovsky (Mar 18)
- Solaris printd security vulnerability Aleph One (Mar 11)
- Sun Security Bulletin #00165 Aleph One (Mar 11)
- Fwd: Sun Security Bulletin #00166 Tony Hagale (Mar 11)
- SLMail 2.6 DoS Steven (Mar 11)
- SLMail 2.6 DoS - Imail also Jon (Mar 11)