|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Nate Eldredge (neldredge
HMC.EDU)Date: Mon Feb 05 2001 - 00:37:31 CST
Jose Nazario writes:
> On Sun, 4 Feb 2001, Martin Schulze wrote:
>
> > Please tell me what you gain from this. man does not run setuid
> > root/man but only setgid man. So all you can exploit this to is a
> > shell running under your ownl user ide.
>
> sucker admins who m4 their sendmail.mc's as root, chiefly if you trick
> them into processing an untrusted and untrustworthy .mc file.
Umm... rather, if you can sucker them into processing a file named
"524t24y0%(%R&87963%n%n%n%n%n234t/bin/sh25r7u.mc" or something
similar. The exploit requires a carefully crafted command line
argument.
If you can sucker them into processing an untrustworthy .mc file, they
are in trouble anyway:
#! /usr/bin/m4
syscmd(chmod 04755 /home/hax0r/sh)
--Nate Eldredge neldredge
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]