BMC CONTROL-M Unsafe Temporary Files May Let Local Users Gain Elevated Privileges
SecurityTracker Alert ID: 1015096|
SecurityTracker URL: http://securitytracker.com/id/1015096
(Links to External Site)
Updated: Nov 2 2008|
Original Entry Date: Oct 24 2005
Modification of system information, Modification of user information, Root access via local system, User access via local system|
Vendor Confirmed: Yes |
Version(s): 6.1.03; possibly other versions|
A vulnerability was reported in BMC's CONTROL-M. A local user may be able to gain elevated privileges on the target system.|
The software creates temporary files in an unsafe manner in the '/tmp' directory. The '/tmp/ctm' directory is created when the first scheduled job is run following a system reboot.
A local user may be able to create the temporary directory or files in that directory prior to the time when CONTROL-M attempts to create the directory. This may allow the local user to create a symbolic link (symlink) from a critical file on the system to a temporary file to be used by CONTROL-M. Then, when the temporary file is written by CONTROL-M, the symlinked file may be created or overwritten with the privileges of the CONTROL-M process.
The vendor has been notified.
Scott Cromar reported this vulnerability.
A local user may be able to create or overwrite files with the privileges of the CONTROL-M process.|
No solution was available at the time of this entry. The vendor plans to issue a fix in a future release.|
Vendor URL: www.bmc.com/ (Links to External Site)
Access control error, State error|
|Underlying OS: UNIX (Any)|
|Underlying OS Comments: Tested on Solaris|
Source Message Contents
Subject: Insecure Temporary Files in BMC/Control-M Agent|
BMC's Control M is an enterprise scheduling facility.
the agent software suffers from a problem with
insecure temporary file
creation. We noticed the problem on Solaris systems
running the version
6.1.03 with current patches; it is reasonable to
assume that other OS
platforms and versions are also affected.
The scripts to be run by a Control M job are stored in
with names like:
The contents appear to be the contents of a job as
created by a Control
The /tmp/ctm directory is created during the first
scheduled job that
is run following a reboot. Normally it is created
with root ownership
and 755 permissions. Depending on how frequently jobs
are run on a
particular client, this may leave a significant window
of opportunity for
some nefarious soul to create this directory with
other permissions or
to create appropriately (or inappropriately) named
It is left as an exercise to the reader to identify
ways in which to
screw the system to the ground.
One less than ideal work-around would be to create the
directory before sshd, inetd or cron start up--say at
/etc/rc2.d/S68 in the
boot cycle on Solaris 8.
BMC has been notified of this problem and has opened
up problem ticket
number BMPM010114. According to BMC Support, a fix
"implemented in a future release." Rather than
waiting, I strongly suggest the
Yahoo! Mail - PC Magazine Editors' Choice 2005