[1126] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: Environment Variables (Was Re: [linux-security] Re: RESOLV_HOST_CONF )

daemon@ATHENA.MIT.EDU (Zygo Blaxell)
Sun Sep 1 07:52:33 1996

From: zblaxell@myrus.com (Zygo Blaxell)
To: linux-security@tarsier.cv.nrao.edu
Date: 31 Aug 1996 15:18:14 -0400

In article <Pine.SV4.3.91.960828223506.8977D-100000@top.dbd.com>,
Mark Whitis  <whitis@dbd.com> wrote:
>Here is the beginings of a catalog of common environment variables
>and a little about their potential exploitability.  I started
>with a printenv on an almost strait out of the box RedHat 3.0.3
>system and added a few from memory.
>HISTSIZE          - Don't know.  Really large values or negative or zero
>                    values might conceivably do domething strange to child
>                    processes invoked by a setuid program

If the user is given a privileged interactive shell by the setuid program,
you don't need to worry about someone exploiting this environment variable.

Hmmm...maybe non-interactive shells might examine this variable, though,
if only to convert it to a numeric value.

>HISTFILESIZE      - Don't know.  Really large values or negative or zero
>                    values might conceivably do domething strange to child
>                    processes invoked by a setuid program

Ditto.

>MAIL=/var/spool/mail/whitis

There was no description in your list, but it falls into the same category
as HOME, USER, LOGNAME, HOSTNAME, etc.

>HOME              - Any setuid program that needs this info had better
>                    get it from someplace trustworthy and be very careful
>                    what it uses it for in the first place.  HOME points
>                    to files created by an untrusted user.

And directories controlled by an untrusted user.  All the usual /tmp 
vulnerabilities apply.  Indeed, the same vulnerabilities apply for *any*
filename supplied by the user.

>SHLVL=1           - Unknown.  

It's used for subshells to identify that they're subshells.  Some shells
let you put this into the prompt string, e.g.:

	bash$ bash
	bash[1]$ bash
	bash[2]$ exit
	bash[1]$ kill -9 $$
	Killed
	bash$

It's probably the same category as HISTSIZE.

>TZ                - Affects time formatting functions.  Potential for
>                    several types of attacks:
>                      - Forging time (i.e. you can cause a transaction
>                        to appear to have occurred at a different time)
>                      - Buffer overrun attacks in any programs which
>                        print time.
>                      - punctuation based attacks

It's also used as the name of a time zone description file under
/usr/lib/zoneinfo:

$ cp /usr/lib/zoneinfo/Europe/London .
$ set -x; date; TZ=GMT date; TZ=US/Central date; TZ=`pwd`/London date
+ date
Sat Aug 31 15:00:01 EDT 1996		# Current time zone
+ TZ=GMT
+ date
Sat Aug 31 19:00:01 GMT 1996		# GMT
+ TZ=US/Central
+ date
Sat Aug 31 14:00:01 CDT 1996		# Some other time zone
++ pwd
+ TZ=/md0/tmp/mail-960831/London
+ date
Sat Aug 31 20:00:01 BST 1996		# Time zone described in my file

>I have not even touched on some others: 
[ zb: I have rearranged the list ]
>PRINTER
>LPDEST
>EDITOR
>VISUAL
>EXINIT
>LESSCHARSET

All very useful user-level environment variables for configuring
unprivileged programs or privileged programs that have documented uses
for the variables (e.g. lpr and 'PRINTER').

>WINDOWID

The ID of the current Xterm window.

>NLSPATH

Part of the same libraries that handle LC_*, isn't it?

>[REW: In short, LOTS of environment variables are potentially
>expoloitable. Only known "safe" variables should be passed (by
>e.g. telnetd, or a setuid-wrapper).  (I never knew about
>RESOLV_HOST_CONF before it came up here.) And even "safe" variables
>should be paranoidly checked against odd characters etc.]

I think that's worth repeating.  Someone needs to tell it to people
who *don't* read lists like this one.
-- 
Zygo Blaxell. Unix/soft/hardware guru, was for U of Waterloo CS Club, now for 
(name withheld by request). 10th place, ACM Intl Collegiate Programming Contest
Finals, 1994.  Admin Linux/TCP/IP for food, clothing, anime.  Pager: 1 (613) 
760 8572.  "I gave up $1000 to avoid working on windoze... *sigh*" - Amy Fong

home help back first fref pref prev next nref lref last post