[11690] in bugtraq
Re: Root shell vixie cron exploit
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Sat Sep 4 07:35:42 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <Pine.LNX.4.10.9909012106380.3895-100000@dione.ids.pl>
Date: Wed, 1 Sep 1999 21:08:56 +0200
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
X-To: Seva Gluschenko <gvs@rinet.ru>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.4.10.9909012102410.31140-100000@diggy.rinet.ru>
On Wed, 1 Sep 1999, Seva Gluschenko wrote:
> man sendmail:
> /-C
> ...skipping...
> -Cfile Use alternate configuration file. Sendmail refuses to run
> as root if an alternate configuration file is specified.
>
> and it does, for sure %-).
>
> Just tested this on different versions of FreeBSD and had no effects
> except Mail Delivery message:
>
> The following address has permanent fatal errors:
> -C/tmp/vixie-cf gvs
>
> So, sendmail _really_ refuses to accept -C key when run as root
Probably you have some problems with understanding written word ;P REFUSES
TO RUN AS ROOT means: if alternate config file is specified, effective
root privledges (Setuid) are dropped. But from crond, sendmail is launched
with uid==euid==0. DOES NOT apply. FreeBSD seems to be patched against
this attack, that's another issue ;P
_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
