tech-security: Re: [venglin@freebsd.lublin.pl: local root compromise in openbsd 3.0 and below]

Subject: Re: [venglin@freebsd.lublin.pl: local root compromise in openbsd 3.0 and below]
To: None <tech-security@netbsd.org>
From: Steven M. Bellovin <smb@research.att.com>
List: tech-security
Date: 04/11/2002 14:54:49

In message <20020411184446.GA1895@meltdown.kittenz.org>, xs@kittenz.org writes:
>on Thu, Apr 11, 2002 at 02:30:52PM -0400, Jan Schaumann wrote:
>> As seen on bugtraq just now.
>> The default crontab of root does not contain the mail-command, but
>> /etc/daily does, I believe.  Thus, if some mischievous black sole were
>> somehow to create such a file in /etc/security we'd be SOL as well.
>> 
>> (Now how that person could create the file in /etc/security is a
>> different story)
>
>Surely it only requires that a line of output from /etc/security when it's
>executed to begin with user/filesystem supplied data?
>
>Is there anything wrong with using /usr/sbin/sendmail anywhere that doesn't
>need an actual MUA (eg, mail)?
>Or maybe only accept "dangerous" commands when stdin is not a tty?
>
>
>
This is a *really* old attack -- does it really still work?  My very 
quick tests suggest that it doesn't under NetBSD, because, as mail(1) 
says in describing -I:

	In particular, the `~' special character when sending mail
	is only active in interactive mode.



		--Steve Bellovin, http://www.research.att.com/~smb
		Full text of "Firewalls" book now at http://www.wilyhacker.com