Date: Wed, 29 Nov 2000 16:05:01 +0200 (EET) From: netch@carrier.kiev.ua (Valentin Nechayev) To: freebsd-security@freebsd.org Subject: Re: bash vulnerability Message-ID: <200011291405.QBY10919@burka.carrier.kiev.ua>
next in thread | raw e-mail | index | archive | help
>> > The bash seems vulnerable to the symlink attack as well: >> > http://www.securityfocus.com/bid/2006 Part of ktrace of bash-2.03 from port: 9820 bash CALL open(0xbfbfd548,0xe01,0x180) 9820 bash NAMI "/tmp/t9820-0-sh" 9820 bash RET open 3 Here, O_EXCL|O_CREAT|O_TRUNC is seen => not vulnerable to symlink attack. But later, it closes the file and reopens it: 9820 bash CALL dup(0x3) 9820 bash RET dup 4 [...] 9820 bash CALL write(0x4,0x811b00c,0x44) 9820 bash GIO fd 4 wrote 68 bytes "Only root can create /etc/nologin. Do any boot-time scripts use sh? " 9820 bash RET write 68/0x44 9820 bash CALL close(0x4) 9820 bash RET close 0 9820 bash CALL close(0x3) 9820 bash RET close 0 9820 bash CALL open(0xbfbfd548,0,0x180) 9820 bash NAMI "/tmp/t9820-0-sh" 9820 bash RET open 3 9820 bash CALL unlink(0xbfbfd548) 9820 bash NAMI "/tmp/t9820-0-sh" 9820 bash RET unlink 0 hence, the race condition exists when file can be changed in these few microseconds between close & open ;| >> Where have you seen bash or FreeBSD? RS> Installed from /usr/ports/shells/bash2 (or bash1). RS> I don't know if the shipping /bin/sh is vulnerable. No, it is not: it forks, and child pipes here-document to parent. /netch To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200011291405.QBY10919>