[445] in bugtraq
8lgm's SCO "at" hole
daemon@ATHENA.MIT.EDU (Justin Mason)
Fri Dec 9 10:08:17 1994
To: bugtraq@fc.net
Date: Fri, 09 Dec 1994 12:49:22 +0000
From: Justin Mason <jmason@iona.ie>
[8lgm]-Advisory-10-EXPLOIT describes a hole where a setgid program runs
/bin/pwd with popen(3).
In case you don't know, this is the way that SunOS, as well as SCO,
performs the getcwd() call. Other versions of UNIX may also implement
it this way, although Solaris' getwd() doesn't (sorry folks -- don't
have enough UNIX machines with trace commands!).
trace/truss -f this C code to check:
#include <stdio.h>
main () { char x[1024]; getcwd(x, 1024); printf ("%s", x); }
If you see a fork or vfork, your getcwd runs /bin/pwd.
If you have any setuid programs that call getcwd(), make sure they
sanitise their environment beforehand. Another thing to watch out
for...
--j.
