Hi. Thanks to Martin Moore <martin_at_decatl.alf.dec.com> for more exact
information. He pointed out to me that this vulnerability is fixed in
the current 4.0D patch kit. The 4.0D machine I tested on does not have
current patches.
Ann Cantelow
----------------------
Part of original message:
...
Hi. There's a new vulnerability coming out of BugTraq that it seems to me
people would want to know about. On 4.0D, but not 4.0G, you can read any
file on the system, including mailboxes and files storing passwords,
anything in ascii format, possibly more. All you need is a login and
access to the crontab command.
What you can do is this:
edit your crontab: crontab -e
note the name of the temp file- /tmp/aaaa(something)
escape from vi to shell: :!sh
remove the temp file, and replace it with a soft link to the file you
want to read.
return to your crontab vi session, and attempt to file it.
crontab returns the contents of the file to screen, interspersed with
error messages about invalid format (your own crontab remains intact.)
...
Received on Thu Oct 26 2000 - 21:54:20 NZDT