[11675] in bugtraq
Re: Root shell vixie cron exploit
daemon@ATHENA.MIT.EDU (Seva Gluschenko)
Fri Sep 3 20:23:13 1999
X-Envelope-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSF.4.10.9909012102410.31140-100000@diggy.rinet.ru>
Date: Wed, 1 Sep 1999 21:08:55 +0400
Reply-To: Seva Gluschenko <gvs@RINET.RU>
From: Seva Gluschenko <gvs@RINET.RU>
X-To: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <lcamtuf.4.05.9907051224120.392-200000@nimue.ids.pl>
Message from Michal Zalewski at Jul 5 14:20 in parts:
MZ> For script kiddiez, here's an exploit for recent vixie-cron vulnerability,
MZ> giving instant root shell. Thought it will help script kiddies, but as
MZ> Martin Schulze included almost step-by-step guide how to abuse Sendmail
MZ> flags, this exploit won't bring anything shocking - simply, it's working
MZ> example.
man sendmail:
/-C
...skipping...
-Cfile Use alternate configuration file. Sendmail refuses to run
as root if an alternate configuration file is specified.
and it does, for sure %-).
Just tested this on different versions of FreeBSD and had no effects
except Mail Delivery message:
The following address has permanent fatal errors:
-C/tmp/vixie-cf gvs
So, sendmail _really_ refuses to accept -C key when run as root
SY, Seva Gluschenko, just stranger at the Road. | http://gvs.rinet.ru/
Cronyx Plus / RiNet network administrator. | GVS-RIPE | GVS3-RIPN
