Vulnerability Development mailing list archives
Re: ls bug.
From: "Wodahs Latigid" <wodahs () mail com>
Date: Fri, 15 Feb 2002 13:37:34 +0000
ls reading flags from filename which might lead to root backdoor as a concept, i.e. cat >-ls;id and the wait for root to ls * .
Actually, its not ls reading from the filename, but the shell appending the filenames as parameters. Take for example: $ ls -la 123 312 $ ls * -rw-r--r-- 1 someone users 0 Feb 15 07:24 123 -rw-r--r-- 1 someone users 0 Feb 15 07:24 312 $ The 'ls' command recieves "ls -la 123 321" (as the shell expands the * wildcard with the names of the files in the current directory). So this has the same effect: $ id * id: invalid option -- l Try `id --help' for more information. $ Although this is a feature rather than a bug, that doesn't mean that it can't be useful. For example, say you have a search script that finds all new files in a certain directory by issuing the 'ls -la *' command. If the attacker were to create a directory called '-la', it would not be seen by the script. - Wodahs ------------------------------------- http://www.ministryofpeace.co.uk/ -- _______________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup Win a ski trip! http://www.nowcode.com/register.asp?affiliate=1net2phone3a
Current thread:
- ls bug. Ehud Tenenbaum (Feb 15)
- Re: ls bug. Chris Faulhaber (Feb 15)
- Re: ls bug. Blue Boar (Feb 15)
- <Possible follow-ups>
- Re: ls bug. Ehud Tenenbaum (Feb 15)
- Re: ls bug. Crist J. Clark (Feb 16)
- Re: ls bug. Wodahs Latigid (Feb 15)