Re: cdrecord local root exploit

To: newbug Tseng <newbug@xxxxxxxxxx>
Subject: Re: cdrecord local root exploit
From: Sean Davis <dive@xxxxxxxxxxxxxx>
Date: Sun, 12 Sep 2004 13:10:09 -0400
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <20040910013017.6602.qmail@xxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20040910013017.6602.qmail@xxxxxxxxxxxxxxxxxxxxx>
User-agent: Mutt/1.4.2i

On Fri, Sep 10, 2004 at 01:30:17AM -0000, newbug Tseng wrote:
> 
> 
> #!/bin/bash
> 
> echo "cdr-exp.sh -- CDRecord local exploit ( Tested on 
> cdrecord-2.01-0.a27.2mdk + Mandrake10)"
> echo "Author    : newbug [at] chroot.org"
> echo "IRC       : irc.chroot.org #chroot"
> echo "Date      :09.09.2004"

I don't see how this is a bug in cdrecord. It's a bug in Mandrake, caused by
shipping cdrecord setuid root. You could do the same thing with CVS (set
CVS_RSH to /tmp/s) if your distribution was dumb enough to ship cvs setuid
root, I would think, yet that wouldn't be a bug in CVS.

-Sean

--
/~\ The ASCII
\ / Ribbon Campaign                   Sean Davis
 X  Against HTML                       aka dive
/ \ Email!

Attachment: pgpKfgAk8BM9Y.pgp
Description: PGP signature

Follow-Ups:
- Re: cdrecord local root exploit
  - From: Volker Kuhlmann

References:
- cdrecord local root exploit
  - From: newbug Tseng

Prev by Date: Directory Traversal Vulnerability in TwinFTP Server allows overwriting
Next by Date: Re: Linux 2.4.27 SECURITY BUG - TCP Local (probable Remote) Denial of Service
Previous by thread: cdrecord local root exploit
Next by thread: Re: cdrecord local root exploit
Index(es):
- Date
- Thread