[3363] in bugtraq
Re: BoS: tee see shell problems
daemon@ATHENA.MIT.EDU (Travis Hassloch x231)
Mon Sep 16 23:41:33 1996
Date: Mon, 16 Sep 1996 14:29:53 -0500
Reply-To: Travis Hassloch x231 <travis@EvTech.com>
From: Travis Hassloch x231 <travis@EvTech.com>
X-To: "Michael J. Hartwick" <hartwick@primeline.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: Your message of "Fri, 13 Sep 1996 22:53:11 EDT."
<Pine.LNX.3.94.960913223432.23513A-100000@primeline.net>
In message <Pine.LNX.3.94.960913223432.23513A-100000@primeline.net> you write:
> I just tested a variation of this exploit with bash 1.14.6(1)
> running on Linux 2.0.13. By using my variation I managed to become root.
Funny, I couldn't get it to work on Solaris:
bash$ bash -version
GNU bash, version 1.14.5(1)
bash$ ls -la
total 12
drwx------ 2 travis 60 Sep 16 14:20 .
drwxrwxrwx 5 root 949 Sep 16 14:20 ..
-rwx------ 1 travis 61 Sep 16 14:23 .WaReZ
bash$ cat .WaReZ
echo Im a lamer, lookatmee whohoo
touch /tmp/bar
echo u loze
bash$ pwd
/tmp/`source .WaReZ'
bash$ cd ..
bash$ cd *W*
bash$ ls -la /tmp/bar
/tmp/bar not found
bash$ pwd
/tmp/`source .WaReZ'
# to prove that it really works:
bash$ source .WaReZ
Im a lamer, lookatmee whohoo
u loze
Am I missing something here?
I also tried simpler names like /tmp/`echo hi` - again, didn't work.
