• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Unix Shell Redirection Race Condition Vulnerability

Severity: MODERATE

Description:

bash, tcsh, cash, ksh and sh are all variations of the Unix shell distributed with many Unix and Unix clone operating systems. A vulnerability exists in these shells that could allow an attacker to arbitrarily write to files.

A vulnerability has been discovered in a number of Unix shells which may allow a local attacker to corrupt files or potentially elevate privileges.

Scripts and command line operations using << as a redirection operator insecurely create files in the /tmp directory, creating files with the name tmp.<pid> where pid indicates the process id of the shell. Additionally, files are created in the /tmp directory without first checking if the file already exists.

This could result in a symbolic link attack that could be used to corrupt any file that the owner of the redirecting shell has access to write to. This issue affects those systems running vulnerable versions of bash, tcsh, cash, ksh and sh.

ksh is reportedly not vulnerable for IBM AIX systems.

Affected Products:

• Apple Mac OS X 10.0.0
• Apple Mac OS X 10.0.1
• Apple Mac OS X 10.0.2
• Apple Mac OS X 10.0.3
• Apple Mac OS X 10.0.4
• Caldera OpenLinux Desktop 2.3.0
• Compaq Tru64 4.0.0 D
• Compaq Tru64 4.0.0 f
• Compaq Tru64 4.0.0 g
• Compaq Tru64 5.0.0
• Compaq Tru64 5.0.0 a
• Compaq Tru64 5.1.0
• Compaq Tru64 5.1.0 a
• Conectiva Linux 4.0.0
• Conectiva Linux 4.0.0 es
• Conectiva Linux 4.1.0
• Conectiva Linux 4.2.0
• Conectiva Linux 5.0.0
• Conectiva Linux 5.1.0
• Conectiva Linux ecommerce
• Conectiva Linux graficas
• Digital (Compaq) TRU64/DIGITAL UNIX 5.0.0
• FreeBSD FreeBSD 3.5.1
• FreeBSD FreeBSD 4.2.0
• FreeBSD FreeBSD 5.0.0
• HP HP-UX 10.20.0
• HP HP-UX 11.0.0
• HP HP-UX 11.0.0 4
• HP HP-UX 11.11.0
• HP HP-UX 9.0.0
• MandrakeSoft Linux Mandrake 6.0.0
• MandrakeSoft Linux Mandrake 6.1.0
• MandrakeSoft Linux Mandrake 7.0.0
• MandrakeSoft Linux Mandrake 7.1.0
• MandrakeSoft Linux Mandrake 7.2.0
• Netscape Communicator 6.01a
• RedHat Linux 5.2.0
• RedHat Linux 5.2.0 alpha
• RedHat Linux 5.2.0 i386
• RedHat Linux 5.2.0 sparc
• RedHat Linux 6.0.0
• RedHat Linux 6.0.0 alpha
• RedHat Linux 6.0.0 sparc
• RedHat Linux 6.1.0 alpha
• RedHat Linux 6.1.0 i386
• RedHat Linux 6.1.0 sparc
• RedHat Linux 6.2.0
• RedHat Linux 6.2.0 E alpha
• RedHat Linux 6.2.0 E i386
• RedHat Linux 6.2.0 E sparc
• RedHat Linux 6.2.0 alpha
• RedHat Linux 6.2.0 i386
• RedHat Linux 6.2.0 sparc
• RedHat bash-1.14.7-13.i386.rpm
• RedHat bash-1.14.7-16.i386.rpm
• RedHat bash-1.14.7-22.i386.rpm
• S.u.S.E. Linux 7.0.0
• SCO Open Server 5.0.0
• SCO Open Server 5.0.1
• SCO Open Server 5.0.2
• SCO Open Server 5.0.3
• SCO Open Server 5.0.4
• SCO Open Server 5.0.5
• SCO Open Server 5.0.6
• SCO Open Server 5.0.6 a
• SCO eDesktop 2.4.0
• SCO eServer 2.3.0
• SGI IRIX 6.5.0
• SGI IRIX 6.5.1
• SGI IRIX 6.5.10
• SGI IRIX 6.5.10 f
• SGI IRIX 6.5.10 m
• SGI IRIX 6.5.11
• SGI IRIX 6.5.11 f
• SGI IRIX 6.5.11 m
• SGI IRIX 6.5.12
• SGI IRIX 6.5.12 f
• SGI IRIX 6.5.12 m
• SGI IRIX 6.5.13
• SGI IRIX 6.5.13 f
• SGI IRIX 6.5.13 m
• SGI IRIX 6.5.2
• SGI IRIX 6.5.3
• SGI IRIX 6.5.4
• SGI IRIX 6.5.5
• SGI IRIX 6.5.6
• SGI IRIX 6.5.7
• SGI IRIX 6.5.8
• SGI IRIX 6.5.9
• Sun Cobalt Qube 3
• Sun Cobalt Qube3 4000WG
• Sun Cobalt Qube3 Japanese 4000WGJ
• Sun Cobalt Qube3 Japanese w/ Caching and RAID 4100WGJ
• Sun Cobalt Qube3 Japanese w/Caching 4010WGJ
• Sun Cobalt Qube3 w/ Caching and RAID 4100WG
• Sun Cobalt Qube3 w/Caching 4010WG
• Sun Cobalt RaQ 4
• Sun Cobalt RaQ XTR
• Sun Cobalt RaQ XTR 3500R
• Sun Cobalt RaQ XTR Japanese 3500R-ja
• Sun Cobalt RaQ4 3001R
• Sun Cobalt RaQ4 Japanese RAID 3100R-ja
• Sun Cobalt RaQ4 RAID 3100R
• Sun Solaris 2.5
• Sun Solaris 2.5.1
• Sun Solaris 2.5.1_x86
• Sun Solaris 2.5_x86
• Sun Solaris 2.6
• Sun Solaris 2.6_x86
• Sun Solaris 7.0
• Sun Solaris 7.0_x86
• Sun Solaris 8
• Sun Solaris 8_x86
• WireX Immunix OS 6.2.0
• tcsh tcsh 6.7.2
• tcsh tcsh 6.8.0 .00
• tcsh tcsh 6.9.0 .00

References:

• CERT/CC: Various shells create temporary files insecurely when using << operator
• Compaq: Security Advisories and Associated Patches
• Sun: Sun Alert ID: 27694

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.