The scripts named in this message have standard insecure tmpfile bugs. If someone can predict when these will be run (like if they are in cron) then they can generally overwrite files of the person running the command (could be root).
Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Potential for root compromise
Specifically this list is for RedHat 5 although many other Linux systems and probably some *BSD systems are vulnerable.
14 March 1998
Date: Sat, 14 Mar 1998 17:57:33 +0100
From: Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Subject: Vunerable shell scripts
I made a list of /usr/bin scripts which allows /tmp races. Following
ones creates /tmp/something.$$, then, with no
permission/ownership checking, /tmp/something.$$.x (x may vary
;), or even performs suitable checks, but gives enough time to alter /tmp
contents: glibcbug, bashbug, znew, mailstat, autoupdate, x11perfcomp,
gccmakedep, pnmindex, xcopy, autoheader, cvsbug, rcs2log, updatedb, igawk,
zdiff, zcmp, findaffix, munchlist, report-kaffe-bug, mailshar, MakeTeXPK,
makeindex, texhash, ircbug [...]
This list has been made on RedHat 5.0 Linux distribution. It includes
only /bin/sh scripts and it isn't complete, but maybe it will show the
range of /tmp races problem. Simple
trap "rm -f $TMPFILE;exit 1" 1 2 ...
is not sufficient and may be extremally harmful!!! You should at least use
mktemp to create temporary files, or|and prevent from creating anything
in /tmp directly.
Michal Zalewski [tel 9690] | finger 4 PGP [firstname.lastname@example.org]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: