Bugtraq mailing list archives

Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability

From: Casper Dik <Casper.Dik () HOLLAND SUN COM>
Date: Thu, 26 Oct 2000 12:37:53 +0200

Tested also on:

FreeBSD 3.3 = Vulnerable
FreeBSD 2.2.8 = Vulnerable
Aix 4.2 = Not Vulnerable
Linux Slackware 7.0 = Not Vulnerable
Linux Slackware 4.0 = Not Vulnerable


Solaris: not vulnerable (probably since 2.4).

6210:   seteuid(10000)                                  = 0
6210:   open64("/tmp/crontabWCaqim", O_RDONLY)          = 5
6210:   seteuid(0)                                      = 0

Root owned file:

6225:   open64("/tmp/crontab9qaakm", O_RDONLY)          Err#13 EACCES
6225:   unlink("/tmp/crontab9qaakm")                    Err#1 EPERM

This was changed in may '94 in response to bug 1160749.

Not sure if there are patches for really old releases
(101572-03 for 2.3 appears to cover this)

Casper

Current thread:

[ Hackerslab bug_paper ] HP-UX crontab temporary file symbolic link vulnerability Kyong-won Cho (Oct 24)
- Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability Sergey Nenashev (Oct 25)
  - Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability Fabio Pietrosanti (naif) (Oct 26)
    - Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability Kris Kennaway (Oct 27)
    - Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability Fabio Pietrosanti (naif) (Oct 27)
    - Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability Casper Dik (Oct 27)
    - Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability Bill Sommerfeld (Oct 27)
  - Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability Andrey Alekseyev (Oct 26)
  - Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability Robert Watson (Oct 27)