[16115] in bugtraq
Re: sperl 5.00503 (and newer ;) exploit
daemon@ATHENA.MIT.EDU (Pixel)
Mon Aug 7 14:35:55 2000
Message-Id: <lyk8dt2m80.fsf@leia.mandrakesoft.com>
Date: Mon, 7 Aug 2000 10:13:19 -0400
Reply-To: pixel@MANDRAKESOFT.COM
From: Pixel <pixel@MANDRAKESOFT.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Michal Zalewski's message of "Sat, 5 Aug 2000 19:19:36 +0200"
Michal Zalewski <lcamtuf@DIONE.IDS.PL> writes:
[...]
> c) /bin/mail has undocumented feature; if interactive=something, it will
> interpret ~! sequence even if not running on the terminal; it is not
here is a patch for mailx that will disable this feature, and so make sperl
`safe'
--------------------------------------------------------------------------------
--- mailx-8.1.1/collect.c~ Mon Aug 7 15:17:13 2000
+++ mailx-8.1.1/collect.c Mon Aug 7 15:55:48 2000
@@ -226,8 +226,13 @@
* Shell escape, send the balance of the
* line to sh -c.
*/
- shell(&linebuf[2]);
- break;
+ /*
+ * HACK: only accept shell commands if "interactive" is set,
+ * and not set via environment variables (otherwise, nice
+ * stuff for security exploits!)
+ */
+ if (lookup("interactive")) shell(&linebuf[2]);
+ break;
case ':':
case '_':
/*
--------------------------------------------------------------------------------
cu Pixel.
PS: be carefull if you want to patch perl to remove any `~!' in the filename, the
escape character can be changed in mailx...
