[3311] in bugtraq
HOLE: Unixware 2.03: crontab -e
daemon@ATHENA.MIT.EDU (Hannu Laurila)
Thu Aug 29 13:14:37 1996
Date: Thu, 29 Aug 1996 18:41:12 +0300
Reply-To: Hannu Laurila <Hannu.Laurila@japo.fi>
From: Hannu Laurila <Hannu.Laurila@japo.fi>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
Novell UnixWare 2.03 (UNIX System V Release 4.2 MP):
There seems to be a little security problem with Unixware's
crontab-command. I haven't been able to check if this applies to other
versions than 2.03.
'crontab -e' command creates a temporary file in /tmp to pass the crontab
file for editing with a text editor. The name of the file is easily
guessable and it seems to be based on process ID (e.g. /tmp/crontaba00421).
'crontab -e' doesn't check if the file already exists in /tmp and will
gladly follow any symbolic links there might be waiting.
A malicious user can create a bunch of symbolic links in /tmp with a
little C program, if he knows that someone is going to edit his/her=20
crontab file. The code might be something like this:
#include <stdio.h>
#include <unistd.h>
char *foo=3D"0123456789ABCDEF";
int main ( void )
{
char *ps1, *ps2, s[32];
for (ps1=3Dfoo;*ps1;ps1++)
for (ps2=3Dfoo;*ps2;ps2++) {
sprintf(s,"/tmp/crontaba002%c%c",*ps1,*ps2);
symlink("/home/joe/.rhosts",s);
}
}
Now when joe edit his crontab file, it will be saved as .rhosts in his
home directory. This is dangerous, because crontab files often include
nice characters like '*' which act as a wildcard in .rhosts.
The user doesn't have to be joe. A malicious user might build a watchdog
which replaces the symbolic link with a new (e.g. /home/sam/.rhosts) while
user is editing his crontab file (a watchdog which seeks for processes
like 'crontab -e' and 'pico /tmp/crontab*'
By replacing the symbolic link while user is editing the crontab file, a
malicious user might also be able to overwrite any file owned by the user.
I haven't checked but I think that there is also a little race condition
possibility when user exits his editor (and saves the file) and before
crontab reads the saved file. If the symbolic link can be replaced with a
new in that period of time, a malicious user might be able to add entries
to user's crontab file.
I haven't checked if this applies to root also.
---
Hannu Laurila - kube@japo.fi * Kauppakatu 10, FIN-62900 ALAJ=C4RVI
Alaj=E4rven Puhelinosuuskunta * Tel +358 66 557 2209 - Fax +358 66 557 2=
788
