Re: local root compromise in openbsd 3.0 and below

[Solar Designer <solar () openwall com>]

On Thu, Apr 11, 2002 at 01:29:28PM +0200, Przemyslaw Frasunek wrote:
>         default root crontab entry looks like:
>
>         # do daily/weekly/monthly maintenance
> # on monday only (techie)
> 30      1       *       *       1       /bin/sh /etc/daily 2>&1 | tee /var/log/d
> aily.out | mail -s "`/bin/hostname` daily output" root
> 30      3       *       *       6       /bin/sh /etc/weekly 2>&1 | tee /var/log/
> weekly.out | mail -s "`/bin/hostname` weekly output" root
> 30      5       1       *       *       /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | mail -s 
> "`/bin/hostname` monthly output" root

Dangerous stuff.  (The same applies to much of /etc/security on *BSD's.)

> Patch: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24

The bug appears to have been introduced before OpenBSD 2.9 (in January,
2001), with this commit message:

Changes from Don Beusee:
[...other changes skipped...]
o tilde commands work regardless of interactive mode.

The mailx (/bin/mail) on Owl is derived from OpenBSD 2.7 code and thus
doesn't contain this vulnerability.  (Should sync with the new OpenBSD
code eventually, but as we can see doing a sync blindly would be worse
than not doing it at all for a while longer.)  We also don't have cron
jobs like this.

-- 
/sd