[5655] in bugtraq
Re: Vunerability in Lizards game
daemon@ATHENA.MIT.EDU (Zoltan Hidvegi)
Wed Nov 19 16:30:56 1997
Date: Tue, 18 Nov 1997 21:14:49 -0600
Reply-To: Zoltan Hidvegi <hzoli@FRONTIERNET.NET>
From: Zoltan Hidvegi <hzoli@FRONTIERNET.NET>
X-To: j-zbiciak1@ti.com
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199711181902.NAA12638@sun-8572> from Joe Zbiciak at "Nov 18,
97 01:02:01 pm"
Joe Zbiciak wrote:
> John Dow said previously:
>
> | - but then again, my system("clear") wasn't particularly
> | elegant either. How about system("/usr/bin/clear")?
>
> That won't work. An attack along these lines will slice through
> that "fix" pretty quickly, if I'm not mistaken.
>
> export IFS=/
> export PATH=.:$PATH
> echo "cp /bin/sh ./root_sh; chmod 4755 ./root_sh" > ./usr
> chmod 755 ./usr
> lizards
Actually recent POSIX shells are immune to this kind of attack, since IFS
is only used to split the result of parameter expansion. No shells under
Linux has this behaviour. This system() call seems to be secure, but it
is still bad practice.
Recent shells disable .bashrc, $ENV etc. processing when euid != uid or
egid != gid and functions are not imported (see the privileged option in
the bash manual).
> "system()" is just not cut out for security.
Definitely. And its performance is also quite bad. It's a waste of
resources to fork/exec a large shell just to execute a tiny program.
Zoltan
