Subject: Re: [email@example.com: local root compromise in openbsd 3.0 and below]
To: None <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 04/11/2002 14:54:49
In message <20020411184446.GA1895@meltdown.kittenz.org>, firstname.lastname@example.org writes:
>on Thu, Apr 11, 2002 at 02:30:52PM -0400, Jan Schaumann wrote:
>> As seen on bugtraq just now.
>> The default crontab of root does not contain the mail-command, but
>> /etc/daily does, I believe. Thus, if some mischievous black sole were
>> somehow to create such a file in /etc/security we'd be SOL as well.
>> (Now how that person could create the file in /etc/security is a
>> different story)
>Surely it only requires that a line of output from /etc/security when it's
>executed to begin with user/filesystem supplied data?
>Is there anything wrong with using /usr/sbin/sendmail anywhere that doesn't
>need an actual MUA (eg, mail)?
>Or maybe only accept "dangerous" commands when stdin is not a tty?
This is a *really* old attack -- does it really still work? My very
quick tests suggest that it doesn't under NetBSD, because, as mail(1)
says in describing -I:
In particular, the `~' special character when sending mail
is only active in interactive mode.
--Steve Bellovin, http://www.research.att.com/~smb
Full text of "Firewalls" book now at http://www.wilyhacker.com