Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

Re: Vixie Crontab exploit code
From: rjp () BROWSER ORG (rjp () BROWSER ORG)
Date: Tue, 7 Sep 1999 07:15:29 +0100

In message <19990902004829.A2579 () ohhara postech ac kr>,
           Taeho Oh writes:


# Tested redhat linux : 4.2, 5.0, 5.1, 6.0
# Tested vixie crontab version : 3.0.1


Tried this on a non-hardened SuSE 6.1 with cron 3.0.1 with no result.

The script didn't change the DefaultUser for sendmail to start with because
SuSE doesn't use numeric ids in it's sendmail.cf.  I also fixed the script
so that the user-created sendmail.cf actually had DefaultUser=0:0 (I think
this was just a typo -- /tmp/sendmail.cf gets created with DefaultUser=0:0
but then is overwritten with the value from /etc/sendmail.cf.)

Even with those two fixes, I still just get a shell owned by my uid/gid.

--
rob partington % rjp () browser org % http://lynx.browser.org/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]