[11755] in bugtraq
Re: Vixie Crontab exploit code
daemon@ATHENA.MIT.EDU (rjp@BROWSER.ORG)
Wed Sep 8 20:42:35 1999
Message-Id: <199909070615.HAA65748@riffraff.plig.net>
Date: Tue, 7 Sep 1999 07:15:29 +0100
Reply-To: rjp@browser.org
From: rjp@BROWSER.ORG
X-To: ohhara@postech.edu
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Thu, 02 Sep 1999 00:48:29 +0900."
<19990902004829.A2579@ohhara.postech.ac.kr>
In message <19990902004829.A2579@ohhara.postech.ac.kr>,
Taeho Oh writes:
>
> # Tested redhat linux : 4.2, 5.0, 5.1, 6.0
> # Tested vixie crontab version : 3.0.1
Tried this on a non-hardened SuSE 6.1 with cron 3.0.1 with no result.
The script didn't change the DefaultUser for sendmail to start with because
SuSE doesn't use numeric ids in it's sendmail.cf. I also fixed the script
so that the user-created sendmail.cf actually had DefaultUser=0:0 (I think
this was just a typo -- /tmp/sendmail.cf gets created with DefaultUser=0:0
but then is overwritten with the value from /etc/sendmail.cf.)
Even with those two fixes, I still just get a shell owned by my uid/gid.
--
rob partington % rjp@browser.org % http://lynx.browser.org/
