{"vuid":"VU#115112","idnumber":"115112","name":"Sun Solaris catman creates temporary files insecurely","keywords":["Sun","Solaris","catman","tmp","temporary","race"],"overview":"catman, the unix manual display utility, creates insecure temporary files with predictable names in a world-writable directory. Since catman executes with system administration privileges, a symbolic link attack could overwrite arbitrary files.","clean_desc":"There is a vulnerability in catman that allows attackers to overwrite arbitrary files, regardless of ownership. The catman program creates temporary files with predictable names and paths such as /tmp/sman_pidofcatman. By monitoring the process ids (PID) of currently running processes, attackers can predict the next PID to be assigned, which will allow them to predict the filename. Once the filename is established, the attacker then creates a symbolic link from the temporary file to the file they want to overwrite. Because the catman program runs as root, it is able to overwrite the file targeted by the symbolic link.","impact":"Attackers can exploit the predictability of catman temporary filenames to overwrite arbitrary system files, regardless of ownership.","resolution":"The CERT/CC is currently unaware of a practical solution to this problem.","workarounds":"","sysaffected":"","thanks":"This vulnerability was first described by Larry W. Cashdollar.","author":"This document was last modified by Tim Shimeall.","public":["h","t","t","p",":","/","/","x","f","o","r","c","e",".","i","s","s",".","n","e","t","/","s","t","a","t","i","c","/","5","7","8","8",".","p","h","p"],"cveids":["CVE-2001-0095"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2001-01-31T00:56:05Z","publicdate":"2001-01-30T00:00:00Z","datefirstpublished":"2001-09-27T18:23:03Z","dateupdated":"2001-09-27T18:23:05Z","revision":13,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"10","cam_internetinfrastructure":"3","cam_population":"20","cam_impact":"8","cam_easeofexploitation":"15","cam_attackeraccessrequired":"10","cam_scorecurrent":"12.6","cam_scorecurrentwidelyknown":"14.85","cam_scorecurrentwidelyknownexploited":"19.35","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":12.6,"vulnote":null}