MCI Telecommunications internetMCI Security Group Report Name: iMCI MIIGS Security Alert Report Number: iMCISE:IMCIBOS:083196:01:P1R1 Report Date: 08/31/96 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) ------------------------------------------------------------------------------- >From: Hannu Laurila Novell UnixWare 2.03 (UNIX System V Release 4.2 MP): There seems to be a little security problem with Unixware's crontab-command. I haven't been able to check if this applies to other versions than 2.03. 'crontab -e' command creates a temporary file in /tmp to pass the crontab file for editing with a text editor. The name of the file is easily guessable and it seems to be based on process ID (e.g. /tmp/crontaba00421). 'crontab -e' doesn't check if the file already exists in /tmp and will gladly follow any symbolic links there might be waiting. A malicious user can create a bunch of symbolic links in /tmp with a little C program, if he knows that someone is going to edit his/her crontab file. The code might be something like this: #include #include char *foo="0123456789ABCDEF"; int main ( void ) { char *ps1, *ps2, s[32]; for (ps1=foo;*ps1;ps1++) for (ps2=foo;*ps2;ps2++) { sprintf(s,"/tmp/crontaba002%c%c",*ps1,*ps2); symlink("/home/joe/.rhosts",s); } } Now when joe edit his crontab file, it will be saved as .rhosts in his home directory. This is dangerous, because crontab files often include nice characters like '*' which act as a wildcard in .rhosts. The user doesn't have to be joe. A malicious user might build a watchdog which replaces the symbolic link with a new (e.g. /home/sam/.rhosts) while user is editing his crontab file (a watchdog which seeks for processes like 'crontab -e' and 'pico /tmp/crontab*' By replacing the symbolic link while user is editing the crontab file, a malicious user might also be able to overwrite any file owned by the user. I haven't checked but I think that there is also a little race condition possibility when user exits his editor (and saves the file) and before crontab reads the saved file. If the symbolic link can be replaced with a new in that period of time, a malicious user might be able to add entries to user's crontab file. I haven't checked if this applies to root also. ===============================================================