Insecure scripts that come with RedHat 5.0

Summary
Description:The scripts named in this message have standard insecure tmpfile bugs. If someone can predict when these will be run (like if they are in cron) then they can generally overwrite files of the person running the command (could be root).
Author:Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
Compromise:Potential for root compromise
Vulnerable Systems:Specifically this list is for RedHat 5 although many other Linux systems and probably some *BSD systems are vulnerable.
Date:14 March 1998
Details


Date: Sat, 14 Mar 1998 17:57:33 +0100
From: Michal Zalewski <lcamtuf@BOSS.STASZIC.WAW.PL>
To: BUGTRAQ@NETSPACE.ORG
Subject: Vunerable shell scripts

I made a list of /usr/bin scripts which allows /tmp races. Following
ones creates /tmp/something.$$, then, with no
permission/ownership checking, /tmp/something.$$.x (x may vary
;), or even performs suitable checks, but gives enough time to alter /tmp
contents: glibcbug, bashbug, znew, mailstat, autoupdate, x11perfcomp,
gccmakedep, pnmindex, xcopy, autoheader, cvsbug, rcs2log, updatedb, igawk,
zdiff, zcmp, findaffix, munchlist, report-kaffe-bug, mailshar, MakeTeXPK,
makeindex, texhash, ircbug [...]

This list has been made on RedHat 5.0 Linux distribution. It includes
only /bin/sh scripts and it isn't complete, but maybe it will show the
range of /tmp races problem. Simple

TMPFILE=/tmp/myproggy.$$
trap "rm -f $TMPFILE;exit 1" 1 2 ...
[...]
do_something >$TMPFILE

is not sufficient and may be extremally harmful!!! You should at least use
mktemp to create temporary files, or|and prevent from creating anything
in /tmp directly.

_______________________________________________________________________
Michal Zalewski [tel 9690] | finger 4 PGP [lcamtuf@boss.staszic.waw.pl]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deustch]
=--------------- [ echo "\$0&\$0">_;chmod +x _;./_ ] -----------------=

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: