VULHUB ™

crontab is part of the cron command scheduling package included with FreeBSD. A vulnerability exists in this package that allows users to read certain system files. When crontab is executed with the -e argument, it calls the vi editor for text file entry and creates a file in the /tmp directory with ownership of the user executing crontab. While in vi, a malicous user may escape to a shell and create a symbolic link to any system file. Upon exiting the shell and quitting the vi editor, cron reads the contents of the file symbolically linked. In the case of a file that either begins with a pound (#) sign or is completely commented out and is formatted in a scheme similar to that of a crontab, cron will return this content to the standard output of the user.

crontab is part of the cron command scheduling package included with FreeBSD. A vulnerability exists in this package that allows users to read certain system files. When crontab is executed with the -e argument, it calls the vi editor for text file entry and creates a file in the /tmp directory with ownership of the user executing crontab. While in vi, a malicous user may escape to a shell and create a symbolic link to any system file. Upon exiting the shell and quitting the vi editor, cron reads the contents of the file symbolically linked. In the case of a file that either begins with a pound (#) sign or is completely commented out and is formatted in a scheme similar to that of a crontab, cron will return this content to the standard output of the user.