Home page logo

bugtraq logo Bugtraq mailing list archives

SRT Security Advisory (SRT2002-06-04-1711): SCO crontab
From: zillion <zillion () snosoft com>
Date: Tue, 4 Jun 2002 17:32:08 -0400 (EDT)


Strategic Reconnaissance Team Security Advisory (SRT2002-06-04-1611)

Topic  : SCO OpenServer crontab format string vulnerability
Date   : June 04, 2002
Credit : KF dotslash[at]snosoft.com
Site   : http://www.snosoft.com


.: Description:

 The SCO OpenServer crontab application is installed setgid cron and
 can be used to schedule execution of programs and scripts.

 This implementation of crontab contains a format string vulnerability
 which can be used to execute code in order to elevate privileges:

 $ crontab %x%x%x%x
 crontab: cannot open file 8047f08804a5578047cd48047cd4

 Due to the nature of crontab it is very likely that ones 'cron' group
 privileges have been obtained it is possible to get higher privileges

.: Impact:

 Local users can elevate their privileges trough this vulnerability.

.: Systems Affected:

 SCO/Caldera OpenServer 5.0.6

.: Solution:

 The vendor was notified and is diligently working on a fix. Until such
 a fix has been made available disable crontab or deny access from
 untrusted sources to the affected systems.


  By Date           By Thread  

Current thread:
  • SRT Security Advisory (SRT2002-06-04-1711): SCO crontab zillion (Jun 04)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]