From owner-freebsd-security Wed Sep 16 00:09:31 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id AAA17852 for freebsd-security-outgoing; Wed, 16 Sep 1998 00:09:31 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from mail.euroweb.hu (mail.euroweb.hu [193.226.220.4]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id AAA17828 for ; Wed, 16 Sep 1998 00:09:19 -0700 (PDT) (envelope-from hu006co@mail.euroweb.hu) Received: (from hu006co@localhost) by mail.euroweb.hu (8.8.5/8.8.5) id JAA05517; Wed, 16 Sep 1998 09:08:52 +0200 (MET DST) Received: (from zgabor@localhost) by CoDe.hu (8.8.8/8.8.8) id JAA00435; Wed, 16 Sep 1998 09:07:44 +0200 (CEST) (envelope-from zgabor) From: Zahemszky Gabor Message-Id: <199809160707.JAA00435@CoDe.hu> Subject: Re: csh/bash/tcsh/others? buffer overflow In-Reply-To: <948.905870511@axl.training.iafrica.com> from Sheldon Hearn at "Sep 15, 98 04:41:51 pm" To: freebsd.org!freebsd-security@zg.CoDe.hu Date: Wed, 16 Sep 1998 09:07:44 +0200 (CEST) Cc: iafrica.com!axl@zg.CoDe.hu X-Mailer: ELM [version 2.4ME+ PL38 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > On Tue, 15 Sep 1998 13:04:43 +0200, Zahemszky Gabor wrote: > > > Then as root do: > > [...] > > The bash dies... Check if there is suid shell in tmp dir: > > [debian]:~$ ls -l /tmp/sh > > -rwsr-sr-x 1 root root 304676 Sep 4 20:55 sh > > >From your post, it looks as though this "root exploit" requires root > priveledges to action. Have I misread this? If not, I don't think that > root having permission to create backdoors is a security concern. OK. The short history: a local user can write the tmp-like directories on a FreeBSD (and other Unices) machine. He can make files, subdirectories. If as a local user, I make a tricky named directory-structure, it's not a problem. But. If you are my sysadmin, maybe you are the person, who make ``garbage-collection'' in the filesystem. Maybe an automatic script, maybe by hand. The problem is that if you make only this command: # ls /tmp ... dXXXXXXXX 3 fuckinguser fuckinggroup ...... AAAA................... ... it doesn't matter. Try to do: # ls /tmp/A* no problem, but # ls A*/*/*/*/* _only for looking_ into the directory, the globbing routine in csh overflows, and want to run the program which is the name of one of the directories in that tree. So. Yes, to make the hole, we need root privileges. But it _is_ a problem, much like the well-known ``mroe'' bug, and any others. With the others, root has to make holes in his/her environment (writeable directory - eg.: . - in his path), but with this, he has to make normal things: ls or cd or any other. And maybe it's automatic with a home made csh-script. Uff. ZGabor at CoDe dot HU -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message