Bugtraq mailing list archives
Netscape 6.01A ksh "here document" vulnerability.
From: "Larry W. Cashdollar" <lwc () Vapid dhs org>
Date: Tue, 28 Aug 2001 08:51:55 -0400 (EDT)
Here is another example of the ksh "here document" vulnerability. Except it is for Netscape 6.01a on Solaris 2.x. This creates the same symlink vulnerability as the previous patchadd post. Except your more likely to destroy user files rather than system files. run-mozilla.sh creates a "here document" in function moz_usage(). #!/bin/sh ---snip-- . . . moz_usage() { cat << EOF Usage: ${cmdname} [options] [program] options: -snip- . . . EOF Temp dir listing: pangea #ls -l /tmp -rw-r--r-- 1 lwc user 399 Aug 28 08:38 sh10040 Truss output: 1004: stat64("/tmp/sh10040", 0xFFBEEDD8) Err#2 ENOENT 1004: creat64("/tmp/sh10040", 0666) = 3 1004: unlink("/tmp/sh10040") = 0 Solution? Use echo or another shell. -- Larry http://vapid.dhs.org:8080
Current thread:
- Solaris Patchadd symlink exploit. Larry W. Cashdollar (Aug 27)
- <Possible follow-ups>
- Re: Solaris Patchadd symlink exploit. Paul Szabo (Aug 27)
- Netscape 6.01A ksh "here document" vulnerability. Larry W. Cashdollar (Aug 28)