[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : /bin/sh creates insecure tmp files

Title: /bin/sh creates insecure tmp files
Released by: Paul Szabo
Date: 23rd November 2000
Printable version: Click here
Similarly to the recently discussed tcsh vulnerability, the Bourne shell

/bin/sh also creates temporary files in an insecure way, and can be

exploited to create arbitrary files or to overwrite existing ones. While

this vulnerability can be exploited for a denial-of-service attack, it is

not clear how to use it to gain additional privileges.

I have confirmed this vulnerability in two (recent-version) commercial



#!/bin/sh -x

ls -l /tmp/nologin

ln -s /tmp/nologin /tmp/sh$$0

cat <http://www.maths.usyd.edu.au:8000/u/psz/

School of Mathematics and Statistics  University of Sydney   2006  Australia

(C) 1999-2000 All rights reserved.