[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Insecure call of external programs in Red Hat Linux tmpwatch

Title: Insecure call of external programs in Red Hat Linux tmpwatch
Released by: ISS
Date: 6th October 2000
Printable version: Click here

Internet Security Systems Security Advisory

October 6, 2000

Insecure call of external programs in Red Hat Linux tmpwatch


The tmpwatch utility is used in Red Hat Linux to remove temporary files. This

utility has an option to call the "fuser" program, which verifies if a file is

currently opened by a process. The fuser program is invoked within tmpwatch by

calling the system() library subroutine. Insecure handling of the arguments to

this subroutine could potentially allow an attacker to execute arbitrary



This vulnerability may allow local attackers to compromise superuser access if

tmpwatch is used by the administrator in a non-default manner.

Affected Versions:

Red Hat Linux 7.0 (tmpwatch v2.5.1)

Red Hat Linux 6.2 (tmpwatch v2.2)

Use the 'rpm -q tmpwatch' command to verify which version is installed. The

tmpwatch package as well as the package containing fuser are included in the

default base installation. By default, tmpwatch with the fuser option is not

used in any package shipped with the Red Hat distributions.


The tmpwatch tool removes files that have not been modified or accessed within

a specified amount of time. It was designed to securely remove files by

avoiding typical race condition vulnerabilities. System administrators usually

run this tool periodically to remove old temporary files in world-writeable


The tmpwatch tool uses the --fuser or -s options to avoid removing a file that

is in an open state in another process.  This option uses the system() library

subroutine to call the external program /sbin/fuser with the file name being

examined as an argument.  The system() subroutine spawns a shell to execute the

command.  An attacker may create a file name containing shell metacharacters,

which could allow them to execute arbitrary commands if tmpwatch with the

fuser option is used to remove the file.

Source code comparison between the Red Hat Linux 6.2 and 7.0 tmpwatch packages

suggests this vulnerability was recognized and a fix was attempted. However,

the fix is incorrect, and the vulnerability is still exploitable.


Do not use the --fuser or -s options with tmpwatch.

Red Hat has issued the following RPMs that contain fixes for this


Red Hat Linux 6.2:









Red Hat Linux 7.0:






MD5 sum                           Package Name

- --------------------------------------------------------------------------

b8a670944cc54fd39c9eefb79f147ec1  6.2/SRPMS/tmpwatch-2.6.2-1.6.2.src.rpm

39fe4fbf666e5f9a40503134c05046d8  6.2/alpha/tmpwatch-2.6.2-1.6.2.alpha.rpm

84609abc355fde23ce878e4d310766f8  6.2/i386/tmpwatch-2.6.2-1.6.2.i386.rpm

f4625e9bc27af011a614eaa146586917  6.2/sparc/tmpwatch-2.6.2-1.6.2.sparc.rpm

b1a9201c44a5f921209c9b648ba85ada  7.0/SRPMS/tmpwatch-2.6.2-1.7.src.rpm

8acf394469c47a98fcc589dd0d73b98c  7.0/i386/tmpwatch-2.6.2-1.7.i386.rpm

These packages are GPG signed by Red Hat, Inc. for security.  Red Hat's key

is available at:


You can verify each package with the following command:

    rpm --checksig  

If you only wish to verify that each package has not been corrupted or

tampered with, examine only the md5sum with the following command:

    rpm --checksig --nogpg 

Developer Recommendations:

If an external program needs to be called within a process, try to avoid the

system() subroutine. Use the execve() subroutine instead.  See the Secure

UNIX Programming FAQ for details:


Additional Information:

The Common Vulnerabilities and Exposures (CVE) project has assigned the Name

CAN-2000-0816 to this issue. This is a candidate for inclusion in the CVE

list http://cve.mitre.org, which standardizes names for security problems.


This vulnerability was discovered and researched by Allen Wilson and Aaron

Campbell of the ISS X-Force.

The vendor contact in regards to this vulnerability was performed with the

help of the SecurityFocus.com Vulnerability Help Team. For more

information or assistance drafting advisories please mail



About Internet Security Systems (ISS)

Internet Security Systems (ISS) is a leading global provider of security

management solutions for the Internet. By providing industry-leading

SAFEsuite security software, remote managed security services, and

strategic consulting and education offerings, ISS is a trusted security

provider to its customers, protecting digital assets and ensuring safe

and uninterrupted e-business. ISS' security management solutions protect

more than 5,500 customers worldwide including 21 of the 25 largest U.S.

commercial banks, 10 of the largest telecommunications companies and

over 35 government agencies. Founded in 1994, ISS is headquartered in

Atlanta, GA, with additional offices throughout North America and

international operations in Asia, Australia, Europe, Latin America and

the Middle East. For more information, visit the Internet Security

Systems web site at www.iss.net or call 888-901-7477.

Copyright (c) 2000 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert

electronically. It is not to be edited in any way without express

consent of the X-Force. If you wish to reprint the whole or any part of

this Alert in any other medium excluding electronic medium, please

e-mail xforce@iss.net for permission.


The information within this paper may change without notice. Use of this

information constitutes acceptance for use in an AS IS condition. There

are NO warranties with regard to this information. In no event shall the

author be liable for any damages whatsoever arising out of or in

connection with the use or spread of this information. Any use of this

information is at the user's own risk.

X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well

as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to: X-Force

xforce@iss.net of Internet Security Systems, Inc.


Version: 2.6.3a

Charset: noconv







(C) 1999-2000 All rights reserved.