[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    HOLE: Unixware 2.03: crontab -e
From:       Hannu Laurila <Hannu.Laurila () japo ! fi>
Date:       1996-08-29 18:41:12
[Download RAW message or body]

Novell UnixWare 2.03 (UNIX System V Release 4.2 MP):

There seems to be a little security problem with Unixware's
crontab-command. I haven't been able to check if this applies to other
versions than 2.03.

'crontab -e' command creates a temporary file in /tmp to pass the crontab
file for editing with a text editor. The name of the file is easily
guessable and it seems to be based on process ID (e.g. /tmp/crontaba00421).

'crontab -e' doesn't check if the file already exists in /tmp and will
gladly follow any symbolic links there might be waiting.

A malicious user can create a bunch of symbolic links in /tmp with a
little C program, if he knows that someone is going to edit his/her 
crontab file. The code might be something like this:

#include <stdio.h>
#include <unistd.h>

char *foo="0123456789ABCDEF";

int main ( void )
{
  char *ps1, *ps2, s[32];

  for (ps1=foo;*ps1;ps1++)
    for (ps2=foo;*ps2;ps2++) {
      sprintf(s,"/tmp/crontaba002%c%c",*ps1,*ps2);
      symlink("/home/joe/.rhosts",s);
    }
}

Now when joe edit his crontab file, it will be saved as .rhosts in his
home directory. This is dangerous, because crontab files often include
nice characters like '*' which act as a wildcard in .rhosts.

The user doesn't have to be joe. A malicious user might build a watchdog
which replaces the symbolic link with a new (e.g. /home/sam/.rhosts) while
user is editing his crontab file (a watchdog which seeks for processes
like 'crontab -e' and 'pico /tmp/crontab*'

By replacing the symbolic link while user is editing the crontab file, a
malicious user might also be able to overwrite any file owned by the user.

I haven't checked but I think that there is also a little race condition
possibility when user exits his editor (and saves the file) and before
crontab reads the saved file. If the symbolic link can be replaced with a
new in that period of time, a malicious user might be able to add entries
to user's crontab file.

I haven't checked if this applies to root also.

---
Hannu Laurila - kube@japo.fi  *  Kauppakatu 10, FIN-62900 ALAJÄRVI
Alajärven Puhelinosuuskunta   *  Tel +358 66 557 2209 - Fax +358 66 557 2788

[prev in list] [next in list] [prev in thread] [next in thread]