gabriel rosenkoetter wrote:
No it can't. Even if it was rm -rf someone placed in, did you not notice my grep statement? Only print items with a decimal. At no given point anywhere on the 13th column whether its Solaris, NetBSD, FreeBSD, would there be an option for someone to craft anything...You are dealing with output you can't trust there. $13 could be anything, including "\n`rm -rf /`". Later on, you pass $13, unstripped of newlines, backticks, or any number of other special character to a shell running as uid 0. That shell will proceed to execute whatever we would like it to, where "we" are "the remote attacker who doesn't even have an account".
FreeBSD -bash2-2.05b$ uname -aFreeBSD ethos.disgraced.org 5.4-RELEASE-p14 FreeBSD 5.4-RELEASE-p14 #1: Thu May 11 01:34:54 CDT 2006 sil@xxxxxxxxxxxxx:/usr/obj/usr/src/sys/ETHOS i386
-bash2-2.05b$ sudo awk '{print $13}' /var/log/auth.log|sort -ru
57354
57340
57335
56253
55125
49211
40334
37188
3508
33875
33635
33454
32798
3137
2895
2638
2408
2301
2114
-
OpenBSD
# uname -a
OpenBSD hades.disgraced.org 4.0 GENERIC#1 i386
# awk '{print $13}' /var/log/authlog|grep "\."|sort -ru
63.243.158.221
61.129.85.230
220.132.113.163
219.149.211.49
213.195.75.41
206.210.96.56
This should have been stated to the list as opposed to "You're backdooring people"I don't believe the suggestion was ever that you had malicious intent, but rather that you have very horrible coding security habits.
I'm disinclined to sort out which of your machines I can get root on right now because you are running this script, but I would expect that someone reading this mailing list is already on the way and would strongly advise that you disable those cron jobs.
I'll give you addresses if you'd like to take a shot at it. -- ==================================================== J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x1383A743sil . infiltrated @ net http://www.infiltrated.net
The happiness of society is the end of government. John Adams
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/