Bugtraq mailing list archives

Re: Vixie Crontab exploit code

From: rjp () BROWSER ORG (rjp () BROWSER ORG)
Date: Tue, 7 Sep 1999 07:15:29 +0100


In message <19990902004829.A2579 () ohhara postech ac kr>,
           Taeho Oh writes:


# Tested redhat linux : 4.2, 5.0, 5.1, 6.0
# Tested vixie crontab version : 3.0.1


Tried this on a non-hardened SuSE 6.1 with cron 3.0.1 with no result.

The script didn't change the DefaultUser for sendmail to start with because
SuSE doesn't use numeric ids in it's sendmail.cf.  I also fixed the script
so that the user-created sendmail.cf actually had DefaultUser=0:0 (I think
this was just a typo -- /tmp/sendmail.cf gets created with DefaultUser=0:0
but then is overwritten with the value from /etc/sendmail.cf.)

Even with those two fixes, I still just get a shell owned by my uid/gid.

--
rob partington % rjp () browser org % http://lynx.browser.org/

Current thread:

Re: Vixie Crontab exploit code Michal Zalewski (Jul 06)
- <Possible follow-ups>
- Vixie Crontab exploit code Taeho Oh (Sep 01)
  - Re: Vixie Crontab exploit code rjp () BROWSER ORG (Sep 06)