Date: 16 Dec 1996 16:04:28 -0000 From: Oregon Ghost <oghost@ecstasy.nanospace.com> To: security@freebsd.org Subject: Re: crontab security hole exploit Message-ID: <19961216160428.964.qmail@ecstasy.nanospace.com> In-Reply-To: <Pine.GSO.3.95.961216154913.7742B-100000@lich> References: <l03010d02aedafca2ae0c@[208.2.87.4]> <Pine.GSO.3.95.961216154913.7742B-100000@lich>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- The exploits are posted to several other quite public lists (bugtraq has over 5000 subscribers now), so why not here? I should think it underscores the fact that the security hole is exploitable with publicly available code. Joakim Rastberg writes: > On Mon, 16 Dec 1996, Richard Wackerbarth wrote: > >>Exploit for buffer overflow in crontab. > >Please do not post exploit details to the list. The details can be sent > >privately to security-officer@FreeBSD.ORG. > >Observations that they exist, preferably with impact statements (eg. user > >can gain root access) and proposed fixes are appropriate for public notice. > > Is that official? Or only wishful thinking (ie if noone post them they > will go away?). I would rather like the exploits be posted as they can be used > to leverage the "management" to pay attention (background: I am working as > a contractor to run some unix-boxes and although I whine about the low > security *nothing* happens until I can show I get a #, then someone > perhaps pulls the plug and pays for a more secure installation. My point > beeing is that many companies, at least the ones I work for, IGNORES holes > until someone have shown them the exploit) > > /joakim rastberg, Xinit AB, Sundsvall Sweden. > > -----BEGIN PGP SIGNATURE----- Version: 2.6.2 Comment: Processed by Mailcrypt 3.4, an Emacs/PGP interface iQEVAwUBMrVzBeyAA+ME1XYFAQF6Gwf+MYbu4xVo/1xm+LMmLoHjC/bIPbgYp7tW xVkZ+57o5+kDOA8itepbq/coG8RNN6Rh7trhSxKZGKPVX1lO090oF0/OKbn99UZZ SO+lR1id3gZS6V8dqEEmJnnK2ZwVHo4DKgX0GfddLaJ4+URpLM+GOzQUZf4LW8fT jg5NGpBNy7Q5vyeNPDDxWGJhwxaeHFf3MIaOwIMpO2TeZG8XX4dA4mzf1A9ydbQL ZoumOsc4tjsNC3XHN3NKP4wYdsXtipv0qwUWXBS9Ao1mJ++d4dQZBKOZxsQ6+qAb 0mUssMzgmI7B3C3z4xeHYjE/w0E0XBk8edhpvhKihTjp2o6/AUf3gg== =EvGH -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19961216160428.964.qmail>