|
|
|
Vulnerability Note VU#115112
Sun Solaris catman creates temporary files insecurely
Overviewcatman, the unix manual display utility, creates insecure temporary files with predictable names in a world-writable directory. Since catman executes with system administration privileges, a symbolic link attack could overwrite arbitrary files.
I. DescriptionThere is a vulnerability in catman that allows attackers to overwrite arbitrary files, regardless of ownership. The catman program creates temporary files with predictable names and paths such as /tmp/sman_pidofcatman. By monitoring the process ids (PID) of currently running processes, attackers can predict the next PID to be assigned, which will allow them to predict the filename. Once the filename is established, the attacker then creates a symbolic link from the temporary file to the file they want to overwrite. Because the catman program runs as root, it is able to overwrite the file targeted by the symbolic link.II. ImpactAttackers can exploit the predictability of catman temporary filenames to overwrite arbitrary system files, regardless of ownership.III. SolutionThe CERT/CC is currently unaware of a practical solution to this problem.Systems Affected
| Vendor | Status | Date Updated |
|---|
| Sun | Vulnerable | 26-Sep-2001 |
References
http://xforce.iss.net/static/5788.php
Credit
This vulnerability was first described by Larry W. Cashdollar.
This document was last modified by Tim Shimeall.
Other Information
| Date Public | 01/30/2001 |
| Date First Published | 09/27/2001 02:21:04 PM |
| Date Last Updated | 09/27/2001 |
| CERT Advisory | |
| CVE Name | CAN-2001-0095 |
| Metric | 12.60 |
| Document Revision | 13 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
 |
