From owner-freebsd-security  Thu Sep 10 09:15:10 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id JAA26887
          for freebsd-security-outgoing; Thu, 10 Sep 1998 09:15:10 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from relay.acadiau.ca (relay.acadiau.ca [131.162.2.90])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id JAA26882
          for <security@freebsd.org>; Thu, 10 Sep 1998 09:15:08 -0700 (PDT)
          (envelope-from 026809r@dragon.acadiau.ca)
Received: from dragon.acadiau.ca (dragon [131.162.1.79])
	by relay.acadiau.ca (8.8.5/8.8.5) with SMTP id NAA03411
	for <security@freebsd.org>; Thu, 10 Sep 1998 13:14:55 -0300 (ADT)
Received: by dragon.acadiau.ca 
	id NAA07518; Thu, 10 Sep 1998 13:14:53 -0300
From: 026809r@dragon.acadiau.ca (Michael Richards)
Message-Id: <199809101614.NAA07518@dragon.acadiau.ca>
Subject: cat exploit
To: security@FreeBSD.ORG
Date: Thu, 10 Sep 1998 13:14:53 -0300 (ADT)
X-Mailer: ELM [version 2.4 PL25]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hi.

Is it just me or did everyone miss the point of Jay's message?

What would happen if I created a file called README that was binary. Since
Jay accidentally had the cat'd sendmail.st execute the command "xtermxterm"
then wouldn't it be possible to create a file (like the README) the people
would be tricked into catting that would run commands as them?
Consider running th rm command. Hell, stick it in a temp dir and make a
shell script called xtermxterm and I believe catting the file will run the
script.

-Mike

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message