[LWN Logo]
[Timeline]
Date:         Fri, 17 Nov 2000 18:12:13 +0100
From: Michal Zalewski <lcamtuf@TPI.PL>
Subject:      Re: vixie cron...
To: BUGTRAQ@SECURITYFOCUS.COM

In order to summarize the responses I've received:

Vulnerable:

- Debian 2.2 is vulnerable; this exploit might need slight
  modifications in order to work properly (eg. /var/spool/cron/crontabs,
  which is 0755 as well, has to be used instead of /var/spool/cron)

- systems where vixie-cron has been installed manually seems to be
  vulnerable (this will include Solaris etc - but this exploit
  won't work or will require some modifications); well, general
  conditions are: o+x on /var/spool/cron and setuid vixie crontab.

- I still have no informations about other non RH-derived distributions
  and other systems shipping vixie-cron, but I would suspect at least
  part of them (if you have something to add, feel free to mail me),

Not vulnerable:

- most of RedHat-derived systems are not vulnerable (this includes
  Mandrake, Cobalt Linux and *probably* Corel Linux); Trustix is
  not vulnerable,

- Slackware is not using vixie-cron, of course (but have dangerous
  permissions, if you have replaced default cron with vixie, expect
  problems),

- FreeBSD seems to be not vulnerable (other permissions).

That's it for now. I would like to thanks all the people who replied to my
mail - Dmitry Alyabyev, Mariusz Woloszyn, Ethan Benson, Oystein Viggen,
Szilveszter Adam, dbaseiv, Simple Nomad and Daniel Jacobowitz :)

_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=