SRT Security Advisory (SRT2002-06-04-1711): SCO crontab

From: zillion (zillionat_private)
Date: Tue Jun 04 2002 - 14:32:08 PDT

  • Next message: Deus, Attonbitus: "RE: Xbox (Was -Online Games Consoles and Security Implications)"

    ======================================================================
    
    Strategic Reconnaissance Team Security Advisory (SRT2002-06-04-1611)
    
    Topic  : SCO OpenServer crontab format string vulnerability
    Date   : June 04, 2002
    Credit : KF dotslash[at]snosoft.com
    Site   : http://www.snosoft.com
    
    ======================================================================
    
    .: Description:
    ---------------
    
     The SCO OpenServer crontab application is installed setgid cron and
     can be used to schedule execution of programs and scripts.
    
     This implementation of crontab contains a format string vulnerability
     which can be used to execute code in order to elevate privileges:
    
     $ crontab %x%x%x%x
     crontab: cannot open file 8047f08804a5578047cd48047cd4
    
     Due to the nature of crontab it is very likely that ones 'cron' group
     privileges have been obtained it is possible to get higher privileges
    
    .: Impact:
    ----------
    
     Local users can elevate their privileges trough this vulnerability.
    
    .: Systems Affected:
    --------------------
    
     SCO/Caldera OpenServer 5.0.6
    
    .: Solution:
    ------------
    
     The vendor was notified and is diligently working on a fix. Until such
     a fix has been made available disable crontab or deny access from
     untrusted sources to the affected systems.
    
    ======================================================================
    



    This archive was generated by hypermail 2b30 : Tue Jun 04 2002 - 15:47:36 PDT