[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051022105105.86290.qmail@web90103.mail.scd.yahoo.com>
Date: Sat, 22 Oct 2005 03:51:05 -0700 (PDT)
From: Scott Cromar <scottcromar@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Insecure Temporary Files in BMC/Control-M Agent
BMC's Control M is an enterprise scheduling facility.
Unfortunately,
the agent software suffers from a problem with
insecure temporary file
creation. We noticed the problem on Solaris systems
running the version
6.1.03 with current patches; it is reasonable to
assume that other OS
platforms and versions are also affected.
The scripts to be run by a Control M job are stored in
temporary files
with names like:
/tmp/ctm/CMD.10637
The contents appear to be the contents of a job as
created by a Control
M user.
The /tmp/ctm directory is created during the first
scheduled job that
is run following a reboot. Normally it is created
with root ownership
and 755 permissions. Depending on how frequently jobs
are run on a
particular client, this may leave a significant window
of opportunity for
some nefarious soul to create this directory with
other permissions or
to create appropriately (or inappropriately) named
links.
It is left as an exercise to the reader to identify
ways in which to
screw the system to the ground.
One less than ideal work-around would be to create the
/tmp/ctm
directory before sshd, inetd or cron start up--say at
/etc/rc2.d/S68 in the
boot cycle on Solaris 8.
BMC has been notified of this problem and has opened
up problem ticket
number BMPM010114. According to BMC Support, a fix
will be
"implemented in a future release." Rather than
waiting, I strongly suggest the
workaround above.
Good luck:
--Scott
__________________________________
Yahoo! Mail - PC Magazine Editors' Choice 2005
http://mail.yahoo.com
Powered by blists - more mailing lists