From owner-freebsd-security  Tue Oct 10 21:44:30 2000
Delivered-To: freebsd-security@freebsd.org
Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3CA5037B66F; Tue, 10 Oct 2000 21:44:27 -0700 (PDT)
Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net  with Microsoft SMTPSVC(5.5.1877.197.19);
	 Tue, 10 Oct 2000 21:42:18 -0700
Received: (from cjc@localhost)
	by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id e9B4hXh01727;
	Tue, 10 Oct 2000 21:43:33 -0700 (PDT)
	(envelope-from cjc)
Date: Tue, 10 Oct 2000 21:43:32 -0700
From: "Crist J . Clark" <cjclark@reflexnet.net>
To: Robert Watson <rwatson@FreeBSD.ORG>
Cc: "Brian F. Feldman" <green@FreeBSD.ORG>,
	Peter Pentchev <roam@orbitel.bg>, achilov@granch.ru,
	Przemyslaw Frasunek <venglin@freebsd.lublin.pl>,
	freebsd-security@FreeBSD.ORG
Subject: Re: ncurses buffer overflows (fwd)
Message-ID: <20001010214332.G25121@149.211.6.64.reflexcom.com>
Reply-To: cjclark@alum.mit.edu
References: <200010110038.e9B0cH562984@green.dyndns.org> <Pine.NEB.3.96L.1001011000711.28422E-100000@fledge.watson.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 1.0i
In-Reply-To: <Pine.NEB.3.96L.1001011000711.28422E-100000@fledge.watson.org>; from rwatson@FreeBSD.ORG on Wed, Oct 11, 2000 at 12:09:59AM -0400
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, Oct 11, 2000 at 12:09:59AM -0400, Robert Watson wrote:
> On Tue, 10 Oct 2000, Brian F. Feldman wrote:
> > > Uhm.. it explicitly says '#!/bin/csh' at the start; why are you running
> > > it with 'sh'?
> > 
> > The canonical lazy person's execution method for scripts is "shell 
> > script.shell", because it is easier than "chmod +x script.shell; ./
> > script.shell".  C shell scripts are supposed to be named .csh for 
> > consistency, or nothing at all.
> 
> We seem to have some bugs in how shells load and run shell scripts for
> other shells, and in handling of scripts with invalid or bad #! lines at
> the beginning.  I think I filed a PR a while ago about handling of scripts
> in single-user mode in particular.  If you feel bored someday, you could
> try and fix them :-).  The general gyst is the following: shells
> (especially when running in single-user mode for some reason) will tend to
> execute shell scripts themselves, rather than using the interpreter
> defined in the file (not in multi-user mode?).  When a failure occurs in
> locating or executing the interpreter, or if interpreters are recursive,
> rather than failing (as the kernel execve call does), it will go ahead and
> execute it using the current shell.  Doubt this could be exploited as a
> security bug, but it is probably "wrong".  The kernel seems to correctly
> handle layered interpreters by returning an image error (an interpreter
> cannot be another interpreter, preventing recursion).

Hmmm... I always thought the fact the sh-bang started with a '#' was
part of their magic. When you read in a file with an interpreter, it
reads the file as a flat file. That first line starts with a '#'; it
just a comment, right? What interpreters actually use a sh-bang to
change the interpreter? I thought sh-bangs were only used by exec
calls.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message