CVE-2016-3992

Vulnerability

Cronic before version 3 uses predictable temporary file names (/tmp/cronic.out.$$, /tmp/cronic.err.$$, /tmp/cronic.trace.$$) that depend solely on the process ID (PID). These files are created in the world-writable /tmp directory without any randomization or checking for existing symlinks. The code path is reachable whenever cronic is invoked to wrap a command, as the temporary files are used to capture standard output, standard error, and trace output [1][2].

Exploitation

A local attacker with the ability to create symlinks in /tmp can predict the exact file names that a cronic process will use by knowing the PID of the target process. The attacker creates a symlink from the predicted temporary file path to an arbitrary file writable by the victim (e.g., ~/.bashrc or a configuration file). When cronic writes to the temporary file, the write is redirected to the target file via the symlink, overwriting its contents [1][2].

Impact

An attacker can overwrite arbitrary files writable by the user running cronic. This can lead to privilege escalation or denial of service if critical configuration files or user scripts are modified. The attack does not require any special privileges beyond access to /tmp and the ability to create symlinks, which is typically available to any local user [1][2].

Mitigation

Upgrade to cronic version 3 or later, which incorporates fixed temporary file handling. As of the available references, no official release date for version 3 is specified, and no workarounds are documented. The vulnerability has been assigned CVE-2016-3992 [1].