Bugtraq mailing list archives
Re: your mail
From: vermont () GATE NET (Illuminati Primus)
Date: Mon, 24 Mar 1997 15:42:55 -0500
The problem is, Good Little Sysadmins(tm) would still be compromised due the fact that cron jobs are usually stored in /var/spool/cron . Cowzilla the bovine would still be able to append to root's crontab and get root. Now if /var/tmp was on a separate partition along with /tmp (why not just symlink them together?), then the Good Little Sysadmins(tm) would be saved. Even better would be a +securehlink mount option (I think there is a patch for linux). This would solve many problems related to hard links to files owned by other users (gzip, pine, quota rips offs, saving buggy suid root sendmails, etc). -Vermont vermont () gate net On Mon, 24 Mar 1997, Jamie Rishaw wrote:
Hello fellow mongoloids Try this: Make hard link of /etc/passwd to /var/tmp/dead.letter Telnet to port 25, send mail from some bad email address to some unreacheable hoost. Watch your message get appended to passwd. ie: cowzilla::0:0:c0wz1ll4 0wns u:/:/bin/shThis is why Good Little Sysadmins(tm) have /, /var, /tmp, /usr, etc. on separate partitions and/or drives. If /etc and /var/tmp are on different partitions this wont work. Can't symlink cross-device far as I know.This is not good. Worked with my 8.8.4, will probably also work with 8.8.5 Root for the whole family -Cowzilla the omnipotent b0v1n3 PD Greets to various #2600 people-- jamie g.k. rishaw <jamie () iagnet net> - Internet Access Group [www.iagnet.net] - Cleveland - Akron - Pittsburgh - Detroit - Columbus - Toledo - Corp: (800) 637 4IAG / (216) 623 3565. DID: (216) 902 5455. FAX (216) 623 3566. Personal: jamie@@arpa.com || jamie@@null.net (Remove second @, nonspammers) =)
Current thread:
- ANNOUNCE : NTCrack v2.0, (continued)
- ANNOUNCE : NTCrack v2.0 Jonathan Wilkins (Mar 29)
- more sendmail poop *Hobbit* (Mar 25)
- Reported Sendmail 8.8.4 Exploit gshapiro () SENDMAIL ORG (Mar 25)
- minor vulnerability in ELM Dmitry E. Kim (Mar 26)
- FreeBSD-SA-97:02: Buffer overflow in lpd Aleph One (Mar 26)
- Cisco 2509/2511 Albert Siersema (Mar 24)
- Re: Cisco 2509/2511 Dan Brown (Mar 24)
- Re: Cisco 2509/2511 Erdinc KAYA (Mar 24)
- Re: your mail Stefan Laudat (Mar 24)
- Re: your mail Jamie Rishaw (Mar 24)
- Re: your mail Illuminati Primus (Mar 24)
- ObNag: running sendmail as root Tom Guptill (Mar 24)
- buffer over in hp-ux 10.20 kernel Darren Reed (Mar 23)
- Re: buffer over in hp-ux 10.20 kernel Security Alert (Mar 26)