Date: Mon, 16 Dec 1996 08:54:26 -0800 (PST) From: "Craig Shaver" <craig@ProGroup.COM> To: security@FreeBSD.ORG Subject: Re: crontab security hole exploit Message-ID: <199612161654.IAA19864@seabass.progroup.com> In-Reply-To: <Pine.GSO.3.95.961216154913.7742B-100000@lich> from "Joakim Rastberg" at Dec 16, 96 03:55:59 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> > On Mon, 16 Dec 1996, Richard Wackerbarth wrote: > >>Exploit for buffer overflow in crontab. > >Please do not post exploit details to the list. The details can be sent > >privately to security-officer@FreeBSD.ORG. > >Observations that they exist, preferably with impact statements (eg. user > >can gain root access) and proposed fixes are appropriate for public notice. > > Is that official? Or only wishful thinking (ie if noone post them they > will go away?). I would rather like the exploits be posted as they can be used > to leverage the "management" to pay attention (background: I am working as > a contractor to run some unix-boxes and although I whine about the low > security *nothing* happens until I can show I get a #, then someone > perhaps pulls the plug and pays for a more secure installation. My point > beeing is that many companies, at least the ones I work for, IGNORES holes > until someone have shown them the exploit) > > /joakim rastberg, Xinit AB, Sundsvall Sweden. > > > It certainly helps me understand what is really going on. I can learn from this to code defensively. Is there someplace or some book that someone who is writing new software can refer to for learning how to write secure code in the first place? I certainly don't want to ask some whiny security cop for each and every little detail.... :) -- Craig Shaver (craig@progroup.com) (415)390-0654 Productivity Group POB 60458 Sunnyvale, CA 94088
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199612161654.IAA19864>