Vulnerability Note VU#115112

Sun Solaris catman creates temporary files insecurely

Original Release date: 27 Sep 2001 | Last revised: 27 Sep 2001


catman, the unix manual display utility, creates insecure temporary files with predictable names in a world-writable directory. Since catman executes with system administration privileges, a symbolic link attack could overwrite arbitrary files.


There is a vulnerability in catman that allows attackers to overwrite arbitrary files, regardless of ownership. The catman program creates temporary files with predictable names and paths such as /tmp/sman_pidofcatman. By monitoring the process ids (PID) of currently running processes, attackers can predict the next PID to be assigned, which will allow them to predict the filename. Once the filename is established, the attacker then creates a symbolic link from the temporary file to the file they want to overwrite. Because the catman program runs as root, it is able to overwrite the file targeted by the symbolic link.


Attackers can exploit the predictability of catman temporary filenames to overwrite arbitrary system files, regardless of ownership.


The CERT/CC is currently unaware of a practical solution to this problem.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
SunAffected30 Jan 200126 Sep 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



This vulnerability was first described by Larry W. Cashdollar.

This document was last modified by Tim Shimeall.

Other Information

  • CVE IDs: CAN-2001-0095
  • Date Public: 30 Jan 2001
  • Date First Published: 27 Sep 2001
  • Date Last Updated: 27 Sep 2001
  • Severity Metric: 12.60
  • Document Revision: 13


If you have feedback, comments, or additional information about this vulnerability, please send us email.