Bugtraq mailing list archives
/bin/sh creates insecure tmp files
From: Paul Szabo <psz () MATHS USYD EDU AU>
Date: Thu, 23 Nov 2000 13:25:28 +1100
Similarly to the recently discussed tcsh vulnerability, the Bourne shell /bin/sh also creates temporary files in an insecure way, and can be exploited to create arbitrary files or to overwrite existing ones. While this vulnerability can be exploited for a denial-of-service attack, it is not clear how to use it to gain additional privileges. I have confirmed this vulnerability in two (recent-version) commercial UNIXes. Demonstration: #!/bin/sh -x ls -l /tmp/nologin ln -s /tmp/nologin /tmp/sh$$0 cat <<EOF Only root can create /etc/nologin. Do any boot-time scripts use sh? EOF ls -l /tmp/nologin Paul Szabo - psz () maths usyd edu au http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
Current thread:
- /bin/sh creates insecure tmp files Paul Szabo (Nov 24)
- Re: /bin/sh creates insecure tmp files Kris Kennaway (Nov 25)