[17359] in bugtraq
Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file
daemon@ATHENA.MIT.EDU (Casper Dik)
Thu Oct 26 13:54:04 2000
Message-Id: <200010261037.MAA26408@romulus.Holland.Sun.COM>
Date: Thu, 26 Oct 2000 12:37:53 +0200
Reply-To: Casper Dik <Casper.Dik@HOLLAND.SUN.COM>
From: Casper Dik <Casper.Dik@HOLLAND.SUN.COM>
X-To: naif@inet.it
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Wed, 25 Oct 2000 12:30:47 +0200."
<Pine.LNX.4.21.0010251221420.7175-100000@naif.inet.it>
>Tested also on:
>
>FreeBSD 3.3 = Vulnerable
>FreeBSD 2.2.8 = Vulnerable
>Aix 4.2 = Not Vulnerable
>Linux Slackware 7.0 = Not Vulnerable
>Linux Slackware 4.0 = Not Vulnerable
Solaris: not vulnerable (probably since 2.4).
6210: seteuid(10000) = 0
6210: open64("/tmp/crontabWCaqim", O_RDONLY) = 5
6210: seteuid(0) = 0
Root owned file:
6225: open64("/tmp/crontab9qaakm", O_RDONLY) Err#13 EACCES
6225: unlink("/tmp/crontab9qaakm") Err#1 EPERM
This was changed in may '94 in response to bug 1160749.
Not sure if there are patches for really old releases
(101572-03 for 2.3 appears to cover this)
Casper
