CERT Advisory CA-1995-09 Solaris ps Vulnerability, Jun 14 2008
program maintains a data file in the /tmp directory, and the /tmp directory is world-writable, allowing users to delete other users' files in /tmp. This vulnerability affects Solaris 2.x (SunOS 5.x) systems.
A race condition exists in at least one Solaris 2.x (SunOS 5.x) system program that can be exploited to gain root access if the user has access to the temporary files. Access to temporary files may be obtained if the permissions on the /tmp and /var/tmp directories are set incorrectly.
The permissions on the /tmp directory are often reset incorrectly by the system if tmpfs (which is mounting swap as /tmp) is in use.
To determine if you are running tmpfs, the following command can be used to verify if the file system for /tmp is swap:
% /usr/sbin/df -k /tmp Filesystem kbytes used avail capacity Mounted on swap 28348 12 28336 0% /tmp
#device device mount FS fsck mount mount #to mount to fsck point type pass at boot options swap - /tmp tmpfs - yes -
If either of these two conditions exist, then you are running tmpfs and the system may automatically reset the permission bits of /tmp at the next reboot.
% /usr/bin/ls -ld /tmp drwxrwxrwt 2 root root 61 Aug 15 12:12 /tmp
If the sticky bit (t) is not set (it will be an x), then the system is vulnerable. In addition, we recommend that the owner and group for /tmp be changed to root and root, respectively.
1. Immediate - fix /tmp permissions
...limit of 10 lines reached, additional matching lines are not shown...

CERT Advisory CA-1996-27 Vulnerability in HP Software Installation Programs, Jun 14 2008
and all symbolic links in /var/tmp and /tmp removed. The following command can be used to remove the symbolic links:
# find /tmp /var/tmp -type l -ok rm {} \;
In this workaround, we have chosen to use the directory /var/tmp/SD_tmp.
# mkdir /var/tmp/SD_tmp
# chmod 700 /var/tmp/SD_tmp
For this workaround to be effective, sites should ensure that the parent directory of $TMPDIR has the sticky bit set if the parent directory is world writable. In this workaround, /var/tmp is the directory concerned. The sticky bit on /var/tmp can be set with the command:
# chmod 1777 /var/tmp
# setenv TMPDIR /var/tmp/SD_tmp
# TMPDIR=/var/tmp/SD_tmp; export TMPDIR

UNIX Security Checklist v2.0 - Full Version, Jun 14 2008
DO consider using mount options, such as nosuid, nodev and noexec for user home partitions, /var and /tmp in your /etc/fstab or vfstab file. (please refer to your specific operating system's documentation for the exact file and location)
ENSURE that /etc, /usr/etc, /bin, /usr/bin, /sbin, /usr/sbin, /tmp and /var/tmp are owned by root and that the sticky-bit is set on /tmp and on /var/tmp
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-95.07.Incorrect.Permissions.on.tmp.may.allow.root.access
ENSURE that the permissions on /tmp are set to 1777.
If the sticky bit is set, no one other than the owner can delete the file /tmp/.X11-unix/X0, which is a socket for your X server. Once this file is deleted, your X server will no longer be accessible. See C.14 for example commands to set the correct permissions and ownership for /tmp.
C.14 Set ownership and permissions for /tmp correctly
C.14 Set ownership and permissions for /tmp correctly
# /bin/chown root /tmp # /bin/chgrp 0 /tmp # /bin/chmod 1777 /tmp
NOTE: This will NOT recursively set the sticky bit on sub-directories below /tmp, such as /tmp/.X11-unix and /tmp/.NeWS-unix; you may have to set these manually or through the system startup files.

CERT Advisory CA-2002-27 Apache/mod_ssl Worm, Jun 14 2008
... process of th...
/tmp/.uubugtraq
/tmp/.bugtraq.c
/tmp/.bugtraq
/tmp/.unlock.c
/tmp/.update.c
/tmp/.cinik
/tmp/.cinik.c
/tmp/.cinik.go
/tmp/.cinik.goecho
...limit of 10 lines reached, additional matching lines are not shown...

CERT Advisory CA-1997-14 Vulnerability in metamail, Jun 14 2008
This environment variable tells metamail where to create the temporary files it needs while processing. If the variable is not set in the user's environment, the default value is /tmp. Since /tmp is accessible by all users, it is possible that use of this value will allow exploitation of race conditions. We recommend setting the value to a protected directory belonging to the user.
Change these lines: if (! $?METAMAIL_TMPDIR) then set METAMAIL_TMPDIR=/tmp endif
if (! $?METAMAIL_TMPDIR) then if ($?TMPDIR) then set METAMAIL_TMPDIR="$TMPDIR" else set METAMAIL_TMPDIR=~/metamail_tmp endif endif

http://www.cert.org/advisories/CA-91.13.Ultrix.mail.vulnerability, Jun 14 2008
(cd TO SOME DIRECTORY THAT YOU CAN PUT THE FILE IN TEMPORARILY, e.g. cd /tmp)
# cd /tmp
# mv /tmp/usr/bin/mail .
(e.g., - /tmp/mail).
binary from a remote node to the /tmp directory on your local
% dcp -iv {remote-nodename}/{username}/{password}::'/usr/bin/mail' '/tmp/mail'
# mv /tmp/mail /usr/bin/mail

http://www.cert.org/advisories/CA-92.17.HP.NIS.ypbind.vulnerability, Jun 14 2008
Change the "Source: /dev/rmt/0m" to "Source: /tmp/PHNE_1359.updt"
(this assumes that you are in the /tmp directory where
Change the "Source: /dev/rmt/0m" to "Source: /tmp/PHNE_1360.updt"
(this assumes that you are in the /tmp directory where
Change the "Source: /dev/rmt/0m" to "Source: /tmp/PHNE_1361.updt"
(this assumes that you are in the /tmp directory where

CERT Advisory CA-2002-03 Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP), Jun 14 2008
TMP Consultoria S/C
TMP would like to state that we have evaluated the impact of those vulnerabilities on our WANView line of network management solutions, and that we are in NO WAY vulnerable to any of the issues reported, as follows:
In case you have any questions or need further assistance regarding these matters, please contact us at <wanview@tmp.com.br>.
Feb 21, 2002: Updated NetScreen vendor statement Feb 21, 2002: Added vendor statement for TMP Consultoria S/C Feb 21, 2002: Added vendor statement for Xerox Corporation Feb 21, 2002: Updated Inktomi vendor statement Feb 21, 2002: Added vendor statement for nCipher Corp.

CERT Advisory CA-1996-19 Vulnerability in expreserve, Jun 14 2008
BSD/OS is not vulnerable to this problem. We ship the current Keith Bostic nvi which does not use the old expreserve scheme to save files (it uses the 4.4BSD-style 1777 tmp directories to store user tmp files in /var/tmp owned by the user and therefore doesn't require a setuid scheme to recover them).
4. Examine /tmp/update.log (in 9.X) or /var/adm/sw/swinstall.log (in 10.X), for any relevant WARNINGs or ERRORs.

CERT Advisory CA-1993-13 SCO Home Directory Vulnerability, Jun 14 2008
The home directories of the users "dos" and "asg" are /tmp and /usr/tmp respectively. These directories are designed to have global write permission.
--> confirm
--> confirm

CERT Advisory CA-1989-03 Telnet Breakin Warning, Jun 14 2008
Privileged programs - Programs that grant privileges to users (e.g., setuid root programs/shells in UNIX) can be exploited to gain unrestricted access to systems. System administrators should watch for such programs being placed in places such as /tmp and /usr/tmp (on UNIX systems). A common malicious practice is to place a setuid shell (sh or csh) in the /tmp directory, thus creating a "back door" whereby any user can gain privileged system access.

CERT Advisory CA-1995-08 Sendmail v.5 Vulnerability, Jun 14 2008
# uncompress /tmp/sendmail.new.Z 6) Put the new sendmail binary into place (in the example here the binary was retrieved via anonymous ftp and put in /tmp) # mv /tmp/sendmail.new /usr/lib/sendmail 7) Insure the correct permissions and ownership on the new sendmail.

http://www.cert.org/advisories/CA-95.05.sendmail.vulnerabilities, Jun 14 2008
** example to use /tmp, first copy this file into /tmp.
** # cd /tmp

CERT Advisory CA-1995-04 NCSA HTTP Daemon for UNIX Vulnerability, Jun 14 2008
void strsubfirst(int start,char *dest, char *src) { ! char tmp;
! strcpy(tmp,&dest); ! strcpy(dest,src); ! strcpy(&dest,tmp); }

CERT Advisory CA-2002-31 Multiple Vulnerabilities in BIND, Jun 14 2008
... BYADDR: - result->n_name = result->n_aliases; + result->n_name = *result->n_aliases++; result->n_net = 0L; - break; - case BYNAME: - len = strlen (result->n_aliases); - tmp = (char *) alloca (len + 1); - tmp = 0; - wp = &tmp; - - rp = in...

CERTŪ Advisories, Jun 14 2008
This advisory describes a vulnerability in Solaris that can be exploited if the permissions on the /tmp and /var/tmp directories are set incorrectly.

CERTŪ Advisories, Jun 14 2008
This advisory describes a vulnerability in Solaris that can be exploited if the permissions on the /tmp and /var/tmp directories are set incorrectly.

CERTŪ Advisories, Jun 14 2008
This advisory describes a vulnerability in Solaris that can be exploited if the permissions on the /tmp and /var/tmp directories are set incorrectly.

CERTŪ Advisories, Jun 14 2008
This advisory describes a vulnerability in Solaris that can be exploited if the permissions on the /tmp and /var/tmp directories are set incorrectly.

CERTŪ Advisories, Jun 14 2008
This advisory describes a vulnerability in Solaris that can be exploited if the permissions on the /tmp and /var/tmp directories are set incorrectly.

CERTŪ Advisories, Jun 14 2008
This advisory describes a vulnerability in Solaris that can be exploited if the permissions on the /tmp and /var/tmp directories are set incorrectly.

CERTŪ Advisories, Jun 14 2008
This advisory describes a vulnerability in Solaris that can be exploited if the permissions on the /tmp and /var/tmp directories are set incorrectly.

CERTŪ Advisories, Jun 14 2008
This advisory describes a vulnerability in Solaris that can be exploited if the permissions on the /tmp and /var/tmp directories are set incorrectly.

CERTŪ Advisories, Jun 14 2008
This advisory describes a vulnerability in Solaris that can be exploited if the permissions on the /tmp and /var/tmp directories are set incorrectly.

CERTŪ Advisories, Jun 14 2008
This advisory describes a vulnerability in Solaris that can be exploited if the permissions on the /tmp and /var/tmp directories are set incorrectly.