Re: local root compromise in openbsd 3.0 and below

From: Solar Designer (solar@openwall.com)
Date: 04/11/02


Date: Fri, 12 Apr 2002 00:02:05 +0400
From: Solar Designer <solar@openwall.com>
To: Przemyslaw Frasunek <venglin@freebsd.lublin.pl>

On Thu, Apr 11, 2002 at 01:29:28PM +0200, Przemyslaw Frasunek wrote:
> default root crontab entry looks like:
>
> # do daily/weekly/monthly maintenance
> # on monday only (techie)
> 30 1 * * 1 /bin/sh /etc/daily 2>&1 | tee /var/log/d
> aily.out | mail -s "`/bin/hostname` daily output" root
> 30 3 * * 6 /bin/sh /etc/weekly 2>&1 | tee /var/log/
> weekly.out | mail -s "`/bin/hostname` weekly output" root
> 30 5 1 * * /bin/sh /etc/monthly 2>&1 | tee /var/log/monthly.out | mail -s "`/bin/hostname` monthly output" root

Dangerous stuff. (The same applies to much of /etc/security on *BSD's.)

> Patch: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/mail/collect.c.diff?r1=1.23&r2=1.24

The bug appears to have been introduced before OpenBSD 2.9 (in January,
2001), with this commit message:

Changes from Don Beusee:
[...other changes skipped...]
o tilde commands work regardless of interactive mode.

The mailx (/bin/mail) on Owl is derived from OpenBSD 2.7 code and thus
doesn't contain this vulnerability. (Should sync with the new OpenBSD
code eventually, but as we can see doing a sync blindly would be worse
than not doing it at all for a while longer.) We also don't have cron
jobs like this.

-- 
/sd



Relevant Pages