Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: sperl 5.00503 (and newer ;) exploit

From: Pixel <pixel () MANDRAKESOFT COM>
Date: Mon, 7 Aug 2000 10:13:19 -0400
Michal Zalewski <lcamtuf () DIONE IDS PL> writes:

[...]


c) /bin/mail has undocumented feature; if interactive=something, it will
   interpret ~! sequence even if not running on the terminal; it is not


here is a patch for mailx that will disable this feature, and so make sperl
`safe'

--------------------------------------------------------------------------------
--- mailx-8.1.1/collect.c~      Mon Aug  7 15:17:13 2000
+++ mailx-8.1.1/collect.c       Mon Aug  7 15:55:48 2000
@@ -226,8 +226,13 @@
                         * Shell escape, send the balance of the
                         * line to sh -c.
                         */
-                       shell(&linebuf[2]);
-                       break;
+                       /*
+                        * HACK: only accept shell commands if "interactive" is set,
+                        * and not set via environment variables (otherwise, nice
+                        * stuff for security exploits!)
+                        */
+                       if (lookup("interactive")) shell(&linebuf[2]);
+                       break;
                case ':':
                case '_':
                        /*
--------------------------------------------------------------------------------


cu Pixel.

PS: be carefull if you want to patch perl to remove any `~!' in the filename, the
escape character can be changed in mailx...
Previous By Date Next
Previous By Thread Next

Current thread: