Title: FreeBSD crontab /tmp File Vulnerability
Severity: LOW
Description:
crontab is part of the cron command scheduling package included with FreeBSD. A vulnerability exists in this package that allows users to read certain system files.
When crontab is executed with the -e argument, it calls the vi editor for text file entry and creates a file in the /tmp directory with ownership of the user executing crontab. While in vi, a malicous user may escape to a shell and create a symbolic link to any system file. Upon exiting the shell and quitting the vi editor, cron reads the contents of the file symbolically linked. In the case of a file that either begins with a pound (#) sign or is completely commented out and is formatted in a scheme similar to that of a crontab, cron will return this content to the standard output of the user.
Affected Products:
- FreeBSD FreeBSD 2.2.8
- FreeBSD FreeBSD 3.3.0
- FreeBSD FreeBSD 4.0.0
- FreeBSD FreeBSD 4.1.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
