[22445] in bugtraq
Netscape 6.01A ksh "here document" vulnerability.
daemon@ATHENA.MIT.EDU (Larry W. Cashdollar)
Tue Aug 28 23:50:56 2001
Date: Tue, 28 Aug 2001 08:51:55 -0400 (EDT)
From: "Larry W. Cashdollar" <lwc@Vapid.dhs.org>
To: Paul Szabo <psz@maths.usyd.edu.au>
Cc: vulnwatch@vulnwatch.org, bugtraq@securityfocus.com
In-Reply-To: <200108272106.f7RL68V400699@milan.maths.usyd.edu.au>
Message-ID: <Pine.SOL.4.21.0108280828550.31850-100000@Vapid.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Here is another example of the ksh "here document" vulnerability.
Except it is for Netscape 6.01a on Solaris 2.x. This creates the same
symlink vulnerability as the previous patchadd post. Except your more
likely to destroy user files rather than system files.
run-mozilla.sh creates a "here document" in function moz_usage().
#!/bin/sh
---snip--
.
.
.
moz_usage()
{
cat << EOF
Usage: ${cmdname} [options] [program]
options:
-snip-
.
.
.
EOF
Temp dir listing:
pangea #ls -l /tmp
-rw-r--r-- 1 lwc user 399 Aug 28 08:38 sh10040
Truss output:
1004: stat64("/tmp/sh10040", 0xFFBEEDD8) Err#2 ENOENT
1004: creat64("/tmp/sh10040", 0666) = 3
1004: unlink("/tmp/sh10040") = 0
Solution? Use echo or another shell.
-- Larry
http://vapid.dhs.org:8080
