Subject: Re: [ local root compromise in openbsd 3.0 and below]
To: None <>
From: Steven M. Bellovin <>
List: tech-security
Date: 04/11/2002 14:54:49
In message <>, writes:
>on Thu, Apr 11, 2002 at 02:30:52PM -0400, Jan Schaumann wrote:
>> As seen on bugtraq just now.
>> The default crontab of root does not contain the mail-command, but
>> /etc/daily does, I believe.  Thus, if some mischievous black sole were
>> somehow to create such a file in /etc/security we'd be SOL as well.
>> (Now how that person could create the file in /etc/security is a
>> different story)
>Surely it only requires that a line of output from /etc/security when it's
>executed to begin with user/filesystem supplied data?
>Is there anything wrong with using /usr/sbin/sendmail anywhere that doesn't
>need an actual MUA (eg, mail)?
>Or maybe only accept "dangerous" commands when stdin is not a tty?
This is a *really* old attack -- does it really still work?  My very 
quick tests suggest that it doesn't under NetBSD, because, as mail(1) 
says in describing -I:

	In particular, the `~' special character when sending mail
	is only active in interactive mode.

		--Steve Bellovin,
		Full text of "Firewalls" book now at