Vulnerability Note VU#115112
Sun Solaris catman creates temporary files insecurely
catman, the unix manual display utility, creates insecure temporary files with predictable names in a world-writable directory. Since catman executes with system administration privileges, a symbolic link attack could overwrite arbitrary files.
There is a vulnerability in catman that allows attackers to overwrite arbitrary files, regardless of ownership. The catman program creates temporary files with predictable names and paths such as /tmp/sman_pidofcatman. By monitoring the process ids (PID) of currently running processes, attackers can predict the next PID to be assigned, which will allow them to predict the filename. Once the filename is established, the attacker then creates a symbolic link from the temporary file to the file they want to overwrite. Because the catman program runs as root, it is able to overwrite the file targeted by the symbolic link.
Attackers can exploit the predictability of catman temporary filenames to overwrite arbitrary system files, regardless of ownership.
The CERT/CC is currently unaware of a practical solution to this problem.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Sun||Affected||30 Jan 2001||26 Sep 2001|
CVSS Metrics (Learn More)
This vulnerability was first described by Larry W. Cashdollar.
This document was last modified by Tim Shimeall.
- CVE IDs: CAN-2001-0095
- Date Public: 30 Jan 2001
- Date First Published: 27 Sep 2001
- Date Last Updated: 27 Sep 2001
- Severity Metric: 12.60
- Document Revision: 13
If you have feedback, comments, or additional information about this vulnerability, please send us email.