FreeBSD crontab /tmp File Vulnerability
BID:1849
Info
FreeBSD crontab /tmp File Vulnerability
| Bugtraq ID: | 1849 |
| Class: | Access Validation Error |
| CVE: | |
| Remote: | Unknown |
| Local: | Yes |
| Published: | Oct 20 2000 12:00AM |
| Updated: | Oct 20 2000 12:00AM |
| Credit: | This vulnerability was discovered and first published by Sergey Nenashev <[email protected]> October 24, 2000. |
| Vulnerable: |
FreeBSD FreeBSD 4.1 FreeBSD FreeBSD 4.0 FreeBSD FreeBSD 3.3 FreeBSD FreeBSD 2.2.8 |
| Not Vulnerable: |
Sun Solaris 2.5.1 Sun Solaris 8_sparc Sun Solaris 7.0 Sun Solaris 2.6 Slackware Linux 7.0 Slackware Linux 4.0 NetBSD NetBSD 1.4.2 NetBSD NetBSD 1.4.1 NetBSD NetBSD 1.4 IBM AIX 4.2 |
Discussion
FreeBSD crontab /tmp File Vulnerability
crontab is part of the cron command scheduling package included with FreeBSD. A vulnerability exists in this package that allows users to read certain system files.
When crontab is executed with the -e argument, it calls the vi editor for text file entry and creates a file in the /tmp directory with ownership of the user executing crontab. While in vi, a malicous user may escape to a shell and create a symbolic link to any system file. Upon exiting the shell and quitting the vi editor, cron reads the contents of the file symbolically linked. In the case of a file that either begins with a pound (#) sign or is completely commented out and is formatted in a scheme similar to that of a crontab, cron will return this content to the standard output of the user.
crontab is part of the cron command scheduling package included with FreeBSD. A vulnerability exists in this package that allows users to read certain system files.
When crontab is executed with the -e argument, it calls the vi editor for text file entry and creates a file in the /tmp directory with ownership of the user executing crontab. While in vi, a malicous user may escape to a shell and create a symbolic link to any system file. Upon exiting the shell and quitting the vi editor, cron reads the contents of the file symbolically linked. In the case of a file that either begins with a pound (#) sign or is completely commented out and is formatted in a scheme similar to that of a crontab, cron will return this content to the standard output of the user.
Exploit / POC
FreeBSD crontab /tmp File Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected]
Solution / Fix
FreeBSD crontab /tmp File Vulnerability
Solution:
Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution:
Currently the SecurityFocus staff are not ware of any vendor supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
References
FreeBSD crontab /tmp File Vulnerability
References:
References: