[25661] in bugtraq
SRT Security Advisory (SRT2002-06-04-1711): SCO crontab
daemon@ATHENA.MIT.EDU (zillion)
Tue Jun 4 18:51:18 2002
Date: Tue, 4 Jun 2002 17:32:08 -0400 (EDT)
From: zillion <zillion@snosoft.com>
To: <bugtraq@securityfocus.com>
Cc: <vuln-dev@securityfocus.com>
Message-ID: <20020604172837.K72314-100000@mail.snosoft.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
======================================================================
Strategic Reconnaissance Team Security Advisory (SRT2002-06-04-1611)
Topic : SCO OpenServer crontab format string vulnerability
Date : June 04, 2002
Credit : KF dotslash[at]snosoft.com
Site : http://www.snosoft.com
======================================================================
.: Description:
---------------
The SCO OpenServer crontab application is installed setgid cron and
can be used to schedule execution of programs and scripts.
This implementation of crontab contains a format string vulnerability
which can be used to execute code in order to elevate privileges:
$ crontab %x%x%x%x
crontab: cannot open file 8047f08804a5578047cd48047cd4
Due to the nature of crontab it is very likely that ones 'cron' group
privileges have been obtained it is possible to get higher privileges
.: Impact:
----------
Local users can elevate their privileges trough this vulnerability.
.: Systems Affected:
--------------------
SCO/Caldera OpenServer 5.0.6
.: Solution:
------------
The vendor was notified and is diligently working on a fix. Until such
a fix has been made available disable crontab or deny access from
untrusted sources to the affected systems.
======================================================================
