Bugtraq mailing list archives
Re: sperl 5.00503 (and newer ;) exploit
From: Pixel <pixel () MANDRAKESOFT COM>
Date: Mon, 7 Aug 2000 10:13:19 -0400
Michal Zalewski <lcamtuf () DIONE IDS PL> writes: [...]
c) /bin/mail has undocumented feature; if interactive=something, it will interpret ~! sequence even if not running on the terminal; it is not
here is a patch for mailx that will disable this feature, and so make sperl `safe' -------------------------------------------------------------------------------- --- mailx-8.1.1/collect.c~ Mon Aug 7 15:17:13 2000 +++ mailx-8.1.1/collect.c Mon Aug 7 15:55:48 2000 @@ -226,8 +226,13 @@ * Shell escape, send the balance of the * line to sh -c. */ - shell(&linebuf[2]); - break; + /* + * HACK: only accept shell commands if "interactive" is set, + * and not set via environment variables (otherwise, nice + * stuff for security exploits!) + */ + if (lookup("interactive")) shell(&linebuf[2]); + break; case ':': case '_': /* -------------------------------------------------------------------------------- cu Pixel. PS: be carefull if you want to patch perl to remove any `~!' in the filename, the escape character can be changed in mailx...
Current thread:
- sperl 5.00503 (and newer ;) exploit Michal Zalewski (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Michal Zalewski (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Olaf Kirch (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Joey Hess (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Pixel (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Francis J. Lacoste (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Greg A. Woods (Aug 09)
- Re: sperl 5.00503 (and newer ;) exploit Thomas Roessler (Aug 10)
- Re: sperl 5.00503 (and newer ;) exploit H. Peter Anvin (Aug 11)
- Re: sperl 5.00503 (and newer ;) exploit Olaf Kirch (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Michal Zalewski (Aug 07)
- <Possible follow-ups>
- Re: sperl 5.00503 (and newer ;) exploit Paul Rogers (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Solar Designer (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Simon Cozens (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Paul Szabo (Aug 07)
- Re: sperl 5.00503 (and newer ;) exploit Matthew Kirkwood (Aug 08)