From proff Fri Aug 30 04:27:25 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id EAA11490 for best-of-security; Fri, 30 Aug 1996 04:27:25 +1000 Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id DAA08753 for ; Fri, 30 Aug 1996 03:17:45 +1000 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <24095-20201> convert rfc822-to-8bit; Thu, 29 Aug 1996 13:14:58 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id NAA02366; Thu, 29 Aug 1996 13:15:03 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 322220 for BUGTRAQ@NETSPACE.ORG; Thu, 29 Aug 1996 13:04:34 -0400 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id NAA01050 for ; Thu, 29 Aug 1996 13:02:15 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from aapo.japo.fi (aapo.japo.fi [194.136.70.70]) by netspace.org (8.7/8.6.12) with ESMTP id LAA26026 for ; Thu, 29 Aug 1996 11:41:21 -0400 Received: from localhost (kube@localhost) by aapo.japo.fi (8.7.5/8.7.3) with SMTP id SAA06146 for ; Thu, 29 Aug 1996 18:41:13 +0300 (EET DST) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Approved-By: Hannu Laurila Message-ID: Date: Thu, 29 Aug 1996 18:41:12 +0300 Reply-To: Hannu Laurila Sender: proff From: Hannu Laurila Subject: HOLE: Unixware 2.03: crontab -e To: Multiple recipients of list BUGTRAQ Novell UnixWare 2.03 (UNIX System V Release 4.2 MP): There seems to be a little security problem with Unixware's crontab-command. I haven't been able to check if this applies to other versions than 2.03. 'crontab -e' command creates a temporary file in /tmp to pass the crontab file for editing with a text editor. The name of the file is easily guessable and it seems to be based on process ID (e.g. /tmp/crontaba00421). 'crontab -e' doesn't check if the file already exists in /tmp and will gladly follow any symbolic links there might be waiting. A malicious user can create a bunch of symbolic links in /tmp with a little C program, if he knows that someone is going to edit his/her crontab file. The code might be something like this: #include #include char *foo="0123456789ABCDEF"; int main ( void ) { char *ps1, *ps2, s[32]; for (ps1=foo;*ps1;ps1++) for (ps2=foo;*ps2;ps2++) { sprintf(s,"/tmp/crontaba002%c%c",*ps1,*ps2); symlink("/home/joe/.rhosts",s); } } Now when joe edit his crontab file, it will be saved as .rhosts in his home directory. This is dangerous, because crontab files often include nice characters like '*' which act as a wildcard in .rhosts. The user doesn't have to be joe. A malicious user might build a watchdog which replaces the symbolic link with a new (e.g. /home/sam/.rhosts) while user is editing his crontab file (a watchdog which seeks for processes like 'crontab -e' and 'pico /tmp/crontab*' By replacing the symbolic link while user is editing the crontab file, a malicious user might also be able to overwrite any file owned by the user. I haven't checked but I think that there is also a little race condition possibility when user exits his editor (and saves the file) and before crontab reads the saved file. If the symbolic link can be replaced with a new in that period of time, a malicious user might be able to add entries to user's crontab file. I haven't checked if this applies to root also. --- Hannu Laurila - kube@japo.fi * Kauppakatu 10, FIN-62900 ALAJÄRVI Alajärven Puhelinosuuskunta * Tel +358 66 557 2209 - Fax +358 66 557 2788