HP-UX crontab /tmp File Vulnerability
BID:1845
Info
HP-UX crontab /tmp File Vulnerability
| Bugtraq ID: | 1845 |
| Class: | Race Condition Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Oct 20 2000 12:00AM |
| Updated: | Oct 20 2000 12:00AM |
| Credit: | This vulnerability was first publicly posted by Kyong-won Cho <[email protected]> on October 20, 2000. |
| Vulnerable: |
HP HP-UX 11.0 HP HP-UX 10.20 Digital (Compaq) TRU64/DIGITAL UNIX 4.0 d |
| Not Vulnerable: |
Sun Solaris 2.5.1 Sun Solaris 8_sparc Sun Solaris 7.0 Sun Solaris 2.6 Slackware Linux 7.0 Slackware Linux 4.0 NetBSD NetBSD 1.4.2 NetBSD NetBSD 1.4.1 NetBSD NetBSD 1.4 IBM AIX 4.2 Digital (Compaq) TRU64/DIGITAL UNIX 4.0 g Digital (Compaq) TRU64/DIGITAL UNIX 4.0 f |
Discussion
HP-UX crontab /tmp File Vulnerability
crontab is a binary in the cron package of the HP-UX cron implementation which allows a user to create a file of scheduled commands. A vulnerabiltiy in crontab exists that allows a user to read any file on an HP-UX system. crontab as implemented with HP-UX is a access controlled binary. Users are permitted to run crontab only if they have an access entry in the crontab.allow file.
To create a crontab, a user must execute the command "crontab -e." Executing this command launches the vi editor, creates a file in the /tmp directory with the ownership delegated to the user running the command. While the file exists in /tmp, the owner of the file may spawn a shell from vi and create a symbolic link to any file on the system. After exiting the spawned shell, then quitting vi, an error message will return the contents of the previously symbolically linked file to the standard output of the user.
crontab is a binary in the cron package of the HP-UX cron implementation which allows a user to create a file of scheduled commands. A vulnerabiltiy in crontab exists that allows a user to read any file on an HP-UX system. crontab as implemented with HP-UX is a access controlled binary. Users are permitted to run crontab only if they have an access entry in the crontab.allow file.
To create a crontab, a user must execute the command "crontab -e." Executing this command launches the vi editor, creates a file in the /tmp directory with the ownership delegated to the user running the command. While the file exists in /tmp, the owner of the file may spawn a shell from vi and create a symbolic link to any file on the system. After exiting the spawned shell, then quitting vi, an error message will return the contents of the previously symbolically linked file to the standard output of the user.
Exploit / POC
HP-UX crontab /tmp File Vulnerability
See discussion also.
See discussion also.
Solution / Fix
HP-UX crontab /tmp File Vulnerability
Solution:
Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
HP-UX crontab /tmp File Vulnerability
References:
References: