[36454] in bugtraq


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

Re: cdrecord local root exploit

daemon@ATHENA.MIT.EDU (Sean Davis)
Mon Sep 13 18:58:01 2004

Date: Sun, 12 Sep 2004 13:10:09 -0400
From: Sean Davis <dive@endersgame.net>
To: newbug Tseng <newbug@chroot.org>
Cc: bugtraq@securityfocus.com
Message-ID: <20040912171009.GB29569@endersgame.net>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l"
Content-Disposition: inline
In-Reply-To: <20040910013017.6602.qmail@www.securityfocus.com>


--XsQoSWH+UP9D9v3l
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Fri, Sep 10, 2004 at 01:30:17AM -0000, newbug Tseng wrote:
>=20
>=20
> #!/bin/bash
>=20
> echo "cdr-exp.sh -- CDRecord local exploit ( Tested on cdrecord-2.01-0.a2=
7.2mdk + Mandrake10)"
> echo "Author    : newbug [at] chroot.org"
> echo "IRC       : irc.chroot.org #chroot"
> echo "Date      :09.09.2004"

I don't see how this is a bug in cdrecord. It's a bug in Mandrake, caused by
shipping cdrecord setuid root. You could do the same thing with CVS (set
CVS_RSH to /tmp/s) if your distribution was dumb enough to ship cvs setuid
root, I would think, yet that wouldn't be a bug in CVS.

-Sean

--
/~\ The ASCII
\ / Ribbon Campaign                   Sean Davis
 X  Against HTML                       aka dive
/ \ Email!

--XsQoSWH+UP9D9v3l
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (NetBSD)

iD8DBQFBRILxncZv+931Zb8RAtmVAKCf3b1Fuz0QYRKHCZvqHD5HJ6eNOACfQ1Ut
hirwrfS3bvqDdza9d9UgKC8=
=+QoO
-----END PGP SIGNATURE-----

--XsQoSWH+UP9D9v3l--


home	help	back	first	fref	pref	prev	next	nref	lref	last	post

[36454] in bugtraq

Re: cdrecord local root exploit

daemon@ATHENA.MIT.EDU (Sean Davis)Mon Sep 13 18:58:01 2004

daemon@ATHENA.MIT.EDU (Sean Davis)
Mon Sep 13 18:58:01 2004