Bugtraq mailing list archives
Re: local root compromise in openbsd 3.0 and below
From: Solar Designer <solar () openwall com>
Date: Fri, 12 Apr 2002 00:02:05 +0400
On Thu, Apr 11, 2002 at 01:29:28PM +0200, Przemyslaw Frasunek wrote:
default root crontab entry looks like: # do daily/weekly/monthly maintenance # on monday only (techie) 30 1 * * 1 /bin/sh /etc/daily 2>&1 | tee /var/log/d aily.out | mail -s "`/bin/hostname` daily output" root 30 3 * * 6 /bin/sh /etc/weekly 2>&1 | tee /var/log/ weekly.out | mail -s "`/bin/hostname` weekly output" root 30 5 1 * * /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | mail -s "`/bin/hostname` monthly output" root
Dangerous stuff. (The same applies to much of /etc/security on *BSD's.)
Patch: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24
The bug appears to have been introduced before OpenBSD 2.9 (in January, 2001), with this commit message: Changes from Don Beusee: [...other changes skipped...] o tilde commands work regardless of interactive mode. The mailx (/bin/mail) on Owl is derived from OpenBSD 2.7 code and thus doesn't contain this vulnerability. (Should sync with the new OpenBSD code eventually, but as we can see doing a sync blindly would be worse than not doing it at all for a while longer.) We also don't have cron jobs like this. -- /sd
Current thread:
- local root compromise in openbsd 3.0 and below Przemyslaw Frasunek (Apr 11)
- Re: local root compromise in openbsd 3.0 and below Solar Designer (Apr 11)
- Re: local root compromise in openbsd 3.0 and below Manuel Bouyer (Apr 12)
- Re: local root compromise in openbsd 3.0 and below Brett Glass (Apr 15)
- Re: local root compromise in openbsd 3.0 and below Manuel Bouyer (Apr 15)
- Re: local root compromise in openbsd 3.0 and below Brett Glass (Apr 15)