Bugtraq mailing list archives
Re: procmail
From: casper () HOLLAND SUN COM (Casper Dik)
Date: Tue, 22 Jul 1997 09:11:11 +0200
On Mon, 21 Jul 1997 16:50:56 +0200, Casper Dik wrote:Shells will not honor meta characters inside variables. The shell will first parse (the phase in which meta chacretsr and keywords are detected) and only then will it do variabel substitution. Then it'll split stuff in words and only then wildcard expansion is done.There's some weird effect with tcsh (I don't know if that's standard csh behavior). When your shell script does a `set foo=$1' and the first argument is "xx PATH=~ftp/incoming:/usr/bin:/bin" it will do two simultaenous variable assignments, and thus overwrite the PATH variable with the string the attacker specified. Not sure if that qualifies as metacharacter expansion, but it's definitely scary:-) Metamail had this problem, fwiw.
Most likely because Csh/Tcsh variabel assignments are treated different from sh assignment (which are part of the syntax; in csh/tcsh they're part of the command language) in Csh/tcsh you must quote the assignment. The worst thing csh/tcsh do, however, is an "eval" on the variable that are imported to local variables (HOME->hoem, TERM-> term PATH->path, etc) So any set-uid/set-gid C-shell script or a C-shell script "captive" login; they're all easily broken. This is fixed in later tcsh revisions. There are simply too many weird things in tcsh/csh to use them as a scripting language for scritps otehr than .login/.cshrc etc. Casper
Current thread:
- procmail jamie (Jul 18)
- Re: procmail Illuminatus Primus (Jul 20)
- Re: procmail Brock Rozen (Jul 21)
- Re: procmail Casper Dik (Jul 21)
- Re: procmail Olaf Kirch (Jul 21)
- Re: procmail Casper Dik (Jul 22)
- Re: procmail Illuminatus Primus (Jul 20)
- AIX ping (Exploit) Bryan P. Self (Jul 20)
- AIX ping, lchangelv, xlock fixes Troy Bollinger (Jul 21)
- Re: procmail Philip Guenther (Jul 20)
- AIX lchangelv (Exploit) Bryan P. Self (Jul 20)
- SNI-16: INN News Server Security Advisory Secure Networks Inc. (Jul 21)
- Re: SNI-16: INN News Server Security Advisory Christopher Samuel (Jul 28)
- Re: SNI-16: INN News Server Security Advisory Nathan J. Mehl (Jul 28)
- Re: SNI-16: INN News Server Security Advisory Christopher Samuel (Jul 28)
- Re: procmail Adam Shostack (Jul 21)