Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   OS (UNIX)  >   Crontab Vendors:   Caldera/SCO
Caldera (SCO) 'crontab' Format String Bug Lets Local Users Execute Code to Gain Elevated Privileges on the System.
SecurityTracker Alert ID:  1004458
SecurityTracker URL:
CVE Reference:   CVE-2002-0716   (Links to External Site)
Updated:  Feb 23 2004
Original Entry Date:  Jun 4 2002
Impact:   Execution of arbitrary code via local system, User access via local system
Exploit Included:  Yes  
Version(s): OpenServer 5.0.6
Description:   A vulnerability was reported in the Caldera (SCO) OpenServer 'crontab' utility. A local user can gain elevated privileges.

Strategic Reconnaissance Team issued an advisory regarding a format string vulnerability in 'crontab' on Caldera's OpenServer. This application is reported installed with set group id (sgid) 'cron' group privileges.

A local user can execute cronttab with malicious formatting arguments to trigger the bug and possibly cause arbitrary code to be executed. A demonstration exploit example is provided:

$ crontab %x%x%x%x
crontab: cannot open file 8047f08804a5578047cd48047cd4

The report suggests that a user that has obtained 'cron' group privileges can likely obtain higher privileges.

The vendor has reportedly been notified.

Impact:   A local user can execute arbitrary code with elevated group ('cron') privileges.
Solution:   No solution was available at the time of this entry. However, the vendor is reportedly working on a fix.
Vendor URL: (Links to External Site)
Cause:   Input validation error

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Caldera Issues Fix for OpenServer) Re: Caldera (SCO) 'crontab' Format String Bug Lets Local Users Execute Code to Gain Elevated Privileges on the System.
Caldera has issued a fix for OpenServer.

 Source Message Contents

Subject:  SRT Security Advisory (SRT2002-06-04-1711): SCO crontab


Strategic Reconnaissance Team Security Advisory (SRT2002-06-04-1611)

Topic  : SCO OpenServer crontab format string vulnerability
Date   : June 04, 2002
Credit : KF dotslash[at]
Site   :


.: Description:

 The SCO OpenServer crontab application is installed setgid cron and
 can be used to schedule execution of programs and scripts.

 This implementation of crontab contains a format string vulnerability
 which can be used to execute code in order to elevate privileges:

 $ crontab %x%x%x%x
 crontab: cannot open file 8047f08804a5578047cd48047cd4

 Due to the nature of crontab it is very likely that ones 'cron' group
 privileges have been obtained it is possible to get higher privileges

.: Impact:

 Local users can elevate their privileges trough this vulnerability.

.: Systems Affected:

 SCO/Caldera OpenServer 5.0.6

.: Solution:

 The vendor was notified and is diligently working on a fix. Until such
 a fix has been made available disable crontab or deny access from
 untrusted sources to the affected systems.



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC