Vixie cron is a scheduling daemon written by Paul Vixie, and distributed with many free UNIX Operating Systems. A problem exists that could allow a user to execute commands with priviledge of another user. The problem occurs in the /var/spool/cron directory and the handling of the temporary files created when one edits crontab. This vulnerability affects systems with permission of 0755 set on the /var/spool/cron directory. Files created in the /var/spool/cron directory by crontab inherit root ownership and group, and UMASK of the user executing crontab. The files created are uniform in name, with the file extension ending in the PID of the crontab process being executed. Crontab also does not check for the existance of a file before it opens a session and begins. It is possible for a malicious user to generate multiple temporary files in /var/spool/cron with world write permission. A user executing crontab -e would have their state stored in a file that could be written to by the...
Vixie cron is a scheduling daemon written by Paul Vixie, and distributed with many free UNIX Operating Systems. A problem exists that could allow a user to execute commands with priviledge of another user. The problem occurs in the /var/spool/cron directory and the handling of the temporary files created when one edits crontab. This vulnerability affects systems with permission of 0755 set on the /var/spool/cron directory. Files created in the /var/spool/cron directory by crontab inherit root ownership and group, and UMASK of the user executing crontab. The files created are uniform in name, with the file extension ending in the PID of the crontab process being executed. Crontab also does not check for the existance of a file before it opens a session and begins. It is possible for a malicious user to generate multiple temporary files in /var/spool/cron with world write permission. A user executing crontab -e would have their state stored in a file that could be written to by the malicious user. The attacker could then write a malicious cron entry into the temporary file, which would be saved. This would result arbitrary commands in the malicious crontab being executed with the priviledges of the target user.
