[19238] in bugtraq
Re: vixie cron possible local root compromise
daemon@ATHENA.MIT.EDU (Mate Wierdl)
Thu Feb 15 16:36:25 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010215093211.B22473@thales.memphis.edu>
Date: Thu, 15 Feb 2001 09:32:11 -0600
Reply-To: Mate Wierdl <mw@THALES.MEMPHIS.EDU>
From: Mate Wierdl <mw@THALES.MEMPHIS.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20010214122114.A3479@hq.alert.sk>; from nite@HQ.ALERT.SK on Wed,
Feb 14, 2001 at 12:21:14PM +0100
On Wed, Feb 14, 2001 at 12:21:14PM +0100, Robert Varga wrote:
> On Mon, Feb 12, 2001 at 03:46:20PM -0800, Blake R. Swopes wrote:
> > Considering what overflows the buffer (your username), it would seem that
> > you'd need root access to begin with in order to craft an exploit. Am I
> > wrong?
>
> Well this could be used to gain root privileges on free shell-account
> servers, which don't do the proper bounds checking and the registration
> process is fully automated...
On my RedHat 7.0 box, you can add a username longer than 20
characters using standard tools:
# useradd Arnold.Schwarzenegger
# su - Arnold.Schwarzenegger
[Arnold.Schwarzenegger@thales Arnold.Schwarzenegger]$ crontab -e
Segmentation fault
I think this example negates many of the arguments in this thread,
does not it?
Mate
---
Mate Wierdl | Dept. of Math. Sciences | University of Memphis
