CERT home
vulnerabilities & fixesevaluations & practicesresearch & analysistraining & education
homesearchFAQsite indexcontact
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

Vulnerability Note VU#10277

Various shells create temporary files insecurely when using << operator

Overview

sh uses /tmp files of a predictable name in creating files for input redirection using the << operator.

I. Description

When performing the "<<" redirection, /bin/sh creates a temporary file in /tmp with a name based on the process id, writes subsequent input out to that file, and then closes the file before re-opening it as the standard input of the command to be executed. At no stage are the results of the creat(), write(), or open() calls checked for an error status.

II. Impact

It is possible for another user to alter what is read from this file.
  • If the sticky bit is not set on /tmp, the file can be simply removed, and a new file created in its place
  • If the sticky bit is set, then it is possible to guess what the file will be called and create it before /bin/sh does (the creat() call performed by the shell does not result in an open() call with O_EXCL set) and hence it is possible to maintain a handle on the underlying file.
  • If a fifo is created in place of the temporary file it is particularly easy to insert an extra command into the input transparently, and without having to worry about ensuring the bug is exploited during the narrow window of time in which it occurs.
Even without reading, creating this file may block the execution of commands using the << operator.
It may also be possible to create a symbolic link named as the temporary file and pointed to any other file on the system writable by the user of the shell, which may lead to corruption of the file to which the link is pointed.

III. Solution

Apply vendor patches; see the Systems Affected section below.

Avoid the use of << operator in cron jobs and similar administration scripts.

Systems Affected

VendorStatusDate Updated
Apple Computer, Inc.Vulnerable25-Sep-2001
Berkeley Software Design, Inc.Not Vulnerable15-May-2001
Compaq Computer CorporationVulnerable13-Jun-2003
Data GeneralUnknown11-Jun-2001
Debian LinuxUnknown11-Jun-2001
DECVulnerable30-Jan-2002
FreeBSD, Inc.Vulnerable15-May-2001
FujitsuUnknown11-Jun-2001
Hewlett-Packard CompanyVulnerable13-Jun-2003
IBM CorporationVulnerable13-Jun-2001
Mandriva, Inc.Vulnerable16-Jul-2001
NEC CorporationUnknown11-Jun-2001
NetBSDUnknown11-Jun-2001
NeXTUnknown11-Jun-2001
OpenBSDNot Vulnerable5-Jul-2001
Red Hat, Inc.Unknown11-Jun-2001
Sequent Computer Systems, Inc.Unknown11-Jun-2001
SGIVulnerable29-Jan-2002
Siemens NixdorfUnknown11-Jun-2001
Sony CorporationUnknown11-Jun-2001
Sun Microsystems, Inc.Vulnerable17-May-2001
The SCO Group (SCO Linux)Vulnerable19-Jun-2001
The SCO Group (SCO Unix)Vulnerable29-Jan-2002
UnisysUnknown11-Jun-2001

References


http://www.securityfocus.com/bid/3996
http://www.securityfocus.com/bid/2006
ftp://patches.sgi.com/support/free/security/advisories/20011103-01-I

Credit

The original discoverer of this vul was Gordon Irlam of the Univeristy of Adelaide, Australia.

This document was written by James T. Ellis, modified by Tim Shimeall to reflect 2001 reporting

Other Information

Date Public07/17/1991
Date First Published07/02/2001 05:04:05 PM
Date Last Updated04/24/2007
CERT Advisory 
CVE NameCVE-2000-1134
Metric1.73
Document Revision19

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Copyright 2001 Carnegie Mellon University