[3365] in bugtraq
Re: tee see shell problems
daemon@ATHENA.MIT.EDU (David S. Goldberg)
Mon Sep 16 23:57:40 1996
Date: Mon, 16 Sep 1996 15:19:48 -0400
Reply-To: "David S. Goldberg" <dsg@mitre.org>
From: "David S. Goldberg" <dsg@linus.mitre.org>
X-To: "Michael J. Hartwick" <hartwick@primeline.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: "Michael J. Hartwick"'s message of Fri, 13 Sep 1996 22:53:11
-0400 (EDT)
> I just tested a variation of this exploit with bash 1.14.6(1)
> running on Linux 2.0.13. By using my variation I managed to become
> root. I find this frightening. In my variation I wasn't as subtle.
> To use a large portion of the original exploit. Hopefully things
> like this won't happen, but it is possible. I know that I will
> forever be much more careful when cd'ing from now on. This is a
> very simplistic example, but I am sure more difficult ones can be
> devised.
I tried the same with bash 1.14.6(1) on Solaris 2.5 (sparc, though
theoretically it shouldn't matter), SunOS 4.1.4, BSDI 2.0.1 and IRIX
5.3, and was unable to perform the exploit using the * wildcard
expansion (if I typed in the directory name with the backquote's
directly, it did work, which I would expect). I ran bash under truss
(on Solaris) and sure enough, the backquote expansion is simply not
done. The * expansion generates the backquoted file name, which is
passed to chdir. I was able to perform this exploit with tcsh 6.05 on
all the above platforms, but not with tcsh 6.04. I don't know why it
worked for bash under linux, but I don't have a linux box available to
me to check it out.
--
Dave Goldberg
Post: The Mitre Corporation\MS B305\202 Burlington Rd.\Bedford, MA 01730
Phone: 617-271-3887
Email: dsg@mitre.org
