Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Unix :: General :: cronta-1.htm

Novell UnixWare 2.03 crontab symlink exploit



    Novell  UnixWare  2.03  (UNIX  System  V Release 4.2 MP), possibly
    other versions of UnixWare.


    'crontab -e' command creates a temporary file in /tmp to pass  the
    crontab file for editing with a text editor. The name of the  file
    is easily guessable and it seems  to be based on process ID  (e.g.

    'crontab -e' doesn't check if the file already exists in /tmp  and
    will gladly follow any symbolic links there might be waiting.

    A malicious  user can  create a  bunch of  symbolic links  in /tmp
    with a  little C  program, if  he knows  that someone  is going to
    edit his/her crontab file. The code might be something like this:

#include <stdio.h>
#include <unistd.h>

char *foo="0123456789ABCDEF";

int main ( void )
  char *ps1, *ps2, s[32];

  for (ps1=foo;*ps1;ps1++)
    for (ps2=foo;*ps2;ps2++) {

    Now when joe edit  his crontab file, it  will be saved as  .rhosts
    in his home  directory. This is  dangerous, because crontab  files
    often include nice characters like '*' which act as a wildcard  in

    The user doesn't have  to be joe. A  malicious user might build  a
    watchdog  which  replaces  the  symbolic  link  with  a  new (e.g.
    /home/sam/.rhosts)  while  user  is  editing  his  crontab file (a
    watchdog which  seeks for  processes like  'crontab -e'  and 'pico

    By replacing the symbolic link  while user is editing the  crontab
    file, a malicious  user might also  be able to  overwrite any file
    owned by the user.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH