lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20051022105105.86290.qmail@web90103.mail.scd.yahoo.com>
Date: Sat, 22 Oct 2005 03:51:05 -0700 (PDT)
From: Scott Cromar <scottcromar@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Insecure Temporary Files in BMC/Control-M Agent


BMC's Control M is an enterprise scheduling facility. 
Unfortunately, 
the agent software suffers from a problem with
insecure temporary file 
creation.  We noticed the problem on Solaris systems
running the version 
6.1.03 with current patches; it is reasonable to
assume that other OS 
platforms and versions are also affected.
 
The scripts to be run by a Control M job are stored in
temporary files 
with names like:
/tmp/ctm/CMD.10637  
 
The contents appear to be the contents of a job as
created by a Control 
M user.
 
The /tmp/ctm directory is created during the first
scheduled job that 
is run following a reboot.  Normally it is created
with root ownership 
and 755 permissions.  Depending on how frequently jobs
are run on a 
particular client, this may leave a significant window
of opportunity for 
some nefarious soul to create this directory with
other permissions or 
to create appropriately (or inappropriately) named
links.
 
It is left as an exercise to the reader to identify
ways in which to 
screw the system to the ground.
 
One less than ideal work-around would be to create the
/tmp/ctm 
directory before sshd, inetd or cron start up--say at
/etc/rc2.d/S68 in the 
boot cycle on Solaris 8.
 
BMC has been notified of this problem and has opened
up problem ticket 
number BMPM010114.  According to BMC Support, a fix
will be 
"implemented in a future release."  Rather than
waiting, I strongly suggest the 
workaround above.
 
Good luck:
--Scott




	
		
__________________________________ 
Yahoo! Mail - PC Magazine Editors' Choice 2005 
http://mail.yahoo.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ