|
Description
|
The Solaris crontab(1) utility creates a temporary file in '/tmp', when a user wishes to
edit cron jobs with "crontab -e" command. The following code is executed for this:
---------------------------------------------------------------------------------------
/ws/onnv-clone/usr/src/cmd/cron/crontab.c
247 (void) strcpy(edtemp, "/tmp/crontabXXXXXX");
248 tmpfd = mkstemp(edtemp);
249 if (fchown(tmpfd, ruid, -1) == -1) {
[...]
294 editor = getenv("EDITOR");
[...]
300 (void) snprintf(buf, sizeof (buf),
301 "%s %s", editor, edtemp);
302 sleep(1);
303
304 while (1) {
305 ret = system(buf);
---------------------------------------------------------------------------------------
crontab thus reads user-controlled 'EDITOR' env variable and feeds it snprintf() that
prints only 1024 characters. With a specially crafted 'EDITOR' variable, a user can
issue predictable filenames to the 'EDITOR' application and open unintended files.
Although crontab is a setuid binary, this portion of the code is executed after crontab
drops privileges. I haven't labeled this as a security bug, since it also requires
modification of the 'EDITOR' environment variable in order to affect other users.
|
