[3995] in bugtraq
Re: [H-BUGTRAQ] Critical Security Problem in 4.4BSD crt0
daemon@ATHENA.MIT.EDU (Lex Spoon)
Mon Feb 3 15:28:37 1997
Date: Mon, 3 Feb 1997 19:48:17 -0000
Reply-To: Lex Spoon <sspoon@CLEMSON.EDU>
From: Lex Spoon <sspoon@CLEMSON.EDU>
X-To: brucec@HUMBUG.ORG.AU
To: BUGTRAQ@netspace.org
In-Reply-To: <Pine.LNX.3.95.950203195050.703B-100000@zerlargal.humbug.org.au>
(message from A Bruce in the land of the Bruces on Fri, 3 Feb
1995 19:54:55 +1000)
> From: A Bruce in the land of the Bruces <brucec@HUMBUG.ORG.AU>
>
> On Sun, 2 Feb 1997, Thomas H. Ptacek wrote:
>
> > There is a critically important security problem in FreeBSD 2.1.5's C
> > runtime support library that will enable anyone with control of the
> > environment of a process to cause it to execute arbitrary code. All
> > executable SUID programs on the system are vulnerable to this problem.
> >
> > On FreeBSD 2.1.5, startup locale processing is enabled by setting the
> > environment variable "ENABLE_STARTUP_LOCALE". "startup_setrunelocale()" is
> > called if the environment variable "LC_CTYPE" is set as well.
>
> Quick fix (for shell users), 'declare -r' all suspect environment
> variables to safe values in the system startup files for the shell.
>
This doesn't completely close the hole. In the following snippet,
/bin/sh is /bin/bash, in case that matters:
$ export FOO=short
$ echo $FOO
short
$ declare -r FOO
$ FOO=oaeundoautnhdoaeunthdoaeuthdoautnhd
bash: FOO: read-only variable
$ env FOO=oaeutnhdoeutnhdunthadutnohadoatnuehd sh
$ echo $FOO
oaeutnhdoeutnhdunthadutnohadoatnuehd
$
lex
