Title: Vixie Cron /var/spool/cron Temporary Crontab File Vulnerability
Severity: LOW
Description:
Vixie cron is a scheduling daemon written by Paul Vixie, and distributed with many free UNIX Operating Systems. A problem exists that could allow a user to execute commands with priviledge of another user.
The problem occurs in the /var/spool/cron directory and the handling of the temporary files created when one edits crontab. This vulnerability affects systems with permission of 0755 set on the /var/spool/cron directory. Files created in the /var/spool/cron directory by crontab inherit root ownership and group, and UMASK of the user executing crontab. The files created are uniform in name, with the file extension ending in the PID of the crontab process being executed. Crontab also does not check for the existance of a file before it opens a session and begins. It is possible for a malicious user to generate multiple temporary files in /var/spool/cron with world write permission. A user executing crontab -e would have their state stored in a file that could be written to by the malicious user. The attacker could then write a malicious cron entry into the temporary file, which would be saved. This would result arbitrary commands in the malicious crontab being executed with the priviledges of the target user.
Affected Products:
- Conectiva Linux 6.0.0
- Conectiva Linux 7.0.0
- Conectiva Linux 8.0.0
- Debian Linux 2.2.0
- Debian Linux 2.2.0 68k
- Debian Linux 2.2.0 alpha
- Debian Linux 2.2.0 arm
- Debian Linux 2.2.0 powerpc
- Debian Linux 2.2.0 sparc
- Paul Vixie Vixie Cron 3.0.0pl1
- Progeny Debian 1.0.0
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
