[16119] in bugtraq
Re: sperl 5.00503 (and newer ;) exploit
daemon@ATHENA.MIT.EDU (Olaf Kirch)
Mon Aug 7 15:25:16 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000807123536.A9156@monad.swb.de>
Date: Mon, 7 Aug 2000 12:35:36 +0200
Reply-To: Olaf Kirch <okir@CALDERA.DE>
From: Olaf Kirch <okir@CALDERA.DE>
X-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.21.0008051913570.26685-100000@dione.ids.pl>; from
lcamtuf@DIONE.IDS.PL on Sat, Aug 05, 2000 at 07:19:36PM +0200
On Sat, Aug 05, 2000 at 07:19:36PM +0200, Michal Zalewski wrote:
> c) /bin/mail has undocumented feature; if interactive=something, it will
> interpret ~! sequence even if not running on the terminal;
Well, some "unfortunate" features come back again and again. I recall
INN's control scripts used to have a similar problem, three years ago.
I'm sort of torn between whether to blame sperl for using mail rather
than syslog, or for doing so without cleaning up the environment.
Apart from the ~! expansion problem, there seems to be at least
another one lurking which is that it'll try to load ~/.mailrc, and
~ is replaced with the value of $HOME.
Any setuid root program that does an exec() somewhere is just a less
user friendly version of su. I have a wonderful proof of this claim,
but unfortunately the margin is too small to hold it :-)
Olaf
--
Olaf Kirch | --- o --- Nous sommes du soleil we love when we play
okir@monad.swb.de | / | \ sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir@caldera.de +-------------------- Why Not?! -----------------------
UNIX, n.: Spanish manufacturer of fire extinguishers.
