[2148] in linux-security and linux-alert archive
[linux-security] Re: Redhat Linux 6.0 Problem
daemon@ATHENA.MIT.EDU (Rogier Wolff)
Sat May 8 03:01:05 1999
In-Reply-To: <Pine.LNX.4.04.9905071158110.14885-100000@redhat1.mmaero.com> from "jlewis@lewis.org" at "May 7, 99 12:01:50 pm"
To: jlewis@lewis.org
Date: Sat, 8 May 1999 08:39:12 +0200 (MEST)
Cc: lundberg@vr.net, lberdeja@2xtreme.net, wu-ftpd@wugate.wustl.edu,
bugs@redhat.com, linux-security@redhat.com
From: R.E.Wolff@BitWizard.nl (Rogier Wolff)
Resent-From: linux-security@redhat.com
Resent-Reply-To: linux-security@redhat.com
jlewis@lewis.org wrote:
> I just noticed another really wierd thing. For some reason the anonftp
> package on Red Hat (at least 5.2 and 6.0) that includes the libs and bins
> needed for wu-ftpd to work for anonymous FTP includes what seems to be a
> copy of /bin/ash as /home/ftp/bin/sh. Why the heck would they include a
> bourne shell in the anon bin directory?
I've done "dir patch*" to get a listing of all the patches at
ftp.kernel.org.
The "*" expansion is something a shell does. My guess is that they
didn't want to duplicate the wildcard expansion into wu-ftpd.
Note that a shell doesn't have any special privileges. So, indeed for
convenience, exploits regularly do 'exec ("/bin/sh")', but in fact
while (1) {
read (0, buf, 1024);
if (fork ()) exit (exec (buf));
wait (...);
}
is a simple shell-substitiute, and short enough to be carried in an
exploit of a few hundred bytes.
Regards,
Roger Wolff.
--
** R.E.Wolff@BitWizard.nl ** http://www.BitWizard.nl/ ** +31-15-2137555 **
*-- BitWizard writes Linux device drivers for any device you may have! --*
------ Microsoft SELLS you Windows, Linux GIVES you the whole house ------
--
----------------------------------------------------------------------
Please refer to the information about this list as well as general
information about Linux security at http://www.aoy.com/Linux/Security.
----------------------------------------------------------------------
To unsubscribe:
mail -s unsubscribe linux-security-request@redhat.com < /dev/null
