Re: SSH Exploit Request

[Valdis.Kletnieks () vt edu]

On Fri, 14 Nov 2003 22:21:30 PST, Jeremiah Cornelius said:

> Solaris ('til v 7, at least) keeps a Bekeley-syntax shutdown in 
> /usr/ucb/bin/

Remember what I said about "what happens if you set your root login shell to be
/usr/local/bin/glitzy-shell?".  Well, I've got a nice story about Solaris and 
/usr/ucb.

I'm one of the gang of inindicted co-conspirators who are to blame for the
Center for Internet Security benchmarks.  One of the things the Solaris
benchmark includes is cut-and-paste code to implement each recommendation.  So
anyhow, we get feedback from one site, complaining that some of their
configuration files now have literal backslash tee backslash tee backslash tee
where there should be a sequence of 3 tabs.

I finally tracked that one down to the fact that the Solaris shell 'echo'
builtin actually *checks* $PATH to see if /usr/ucb is in it, and if so, if it's
before or after /usr/bin, and then emulates a SysV or BSD echo.  And the BSD
echo doesn't handle escape sequences the same way.....  Whoops. We got to go
through and replace all the echo's with printf's.

Yes, a bug in our code.  However, one totally unexpected, even by any of the
large number of Solaris experts, and it didn't crop up on the first several
hundred or thousand boxes it was tested on....

And *that* sort of bug is the one that answers the question "How could patching
XYZ *possibly* take down a server?".....

Attachment: _bin
Description: