Subject: Re: CRITICAL ** Holes in default cron jobs ** CRITICAL
To: None <current-users@NetBSD.ORG>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: current-users
Date: 12/29/1996 13:47:05
-----BEGIN PGP SIGNED MESSAGE-----


>Technical Details
>~~~~~~~~~~~~~~~~~
>The first problem with /etc/security is that it passes unchecked data to
>a shell.  If a user creates a file whose name contains shell
>metacharacters and makes it executable and setuid, /etc/security will
>gladly execute commands specified in the name of the file as root.
>The problem is the big find line used to search for setuid files,
>which in 4.4BSDlite2 reads:
>(find / ! -fstype local -a -prune -o \
>    \( -perm -u+s -o -perm -g+s -o ! -type d -a ! -type f -a ! -type l -a \
>       ! -type s \) | \
>sort | sed -e 's/^/ls -ldgT /' | sh > $LIST) 2> $OUTPUT

  Uh, isn't this missing a -print *anyway* ???
  I wasn't able to exploit this until I added one.

   :!mcr!:            |  Network security consulting and 
   Michael Richardson |      contract programming
 WWW: mcr@sandelman.ottawa.on.ca. PGP key available.

  



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: latin1
Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface

iQBVAwUBMsa8k9TTll4efmtZAQEWzgIAtRDcaaSLZAtXKVP2eh43CLY/aXt+iL9S
KpXL0Crrq/1XLKqz5AwwC297H1QkBALiYjH+m2sW6nzZjf8CuPE+Ug==
=IEb3
-----END PGP SIGNATURE-----