Date: Wed, 16 Sep 1998 09:07:44 +0200 (CEST) From: Zahemszky Gabor <zgabor@zg.CoDe.hu> To: freebsd.org!freebsd-security@zg.CoDe.hu Cc: iafrica.com!axl@zg.CoDe.hu Subject: Re: csh/bash/tcsh/others? buffer overflow Message-ID: <199809160707.JAA00435@CoDe.hu> In-Reply-To: <948.905870511@axl.training.iafrica.com> from Sheldon Hearn at "Sep 15, 98 04:41:51 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
>
>
> On Tue, 15 Sep 1998 13:04:43 +0200, Zahemszky Gabor wrote:
>
> > Then as root do:
> > [...]
> > The bash dies... Check if there is suid shell in tmp dir:
> > [debian]:~$ ls -l /tmp/sh
> > -rwsr-sr-x 1 root root 304676 Sep 4 20:55 sh
>
> >From your post, it looks as though this "root exploit" requires root
> priveledges to action. Have I misread this? If not, I don't think that
> root having permission to create backdoors is a security concern.
OK. The short history: a local user can write the tmp-like directories on a
FreeBSD (and other Unices) machine. He can make files, subdirectories. If
as a local user, I make a tricky named directory-structure, it's not a
problem. But. If you are my sysadmin, maybe you are the person, who make
``garbage-collection'' in the filesystem. Maybe an automatic script, maybe
by hand. The problem is that if you make only this command:
# ls /tmp
...
dXXXXXXXX 3 fuckinguser fuckinggroup ...... AAAA...................
...
it doesn't matter. Try to do:
# ls /tmp/A*
no problem, but
# ls A*/*/*/*/*
_only for looking_ into the directory, the globbing routine in csh
overflows, and want to run the program which is the name of one of the
directories in that tree. So. Yes, to make the hole, we need
root privileges. But it _is_ a problem, much like the well-known
``mroe'' bug, and any others. With the others, root has to make holes in
his/her environment
(writeable directory - eg.: . - in his path), but with this, he has to make
normal things: ls or cd or any other. And maybe it's automatic with a home
made csh-script.
Uff.
ZGabor at CoDe dot HU
--
#!/bin/ksh
Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X"
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199809160707.JAA00435>