Vulnerability Development mailing list archives
Re: BSD chfn bug
From: lcamtuf () IDS PL (Michal Zalewski)
Date: Thu, 22 Jul 1999 06:41:04 +0200
On Sat, 25 Dec 1999, Stanislav N. Vardomskiy wrote:
At best you can get a file in /etc/ that is owned by >yourself.
This just *might* be a problem. I have been patching ssh lately, building and rebuilding it over and over again, and it seems that ssh can be affected by a number of files in /etc/, some of which are not present by default in all OSes. For instance, just doing a quick `strings` on /usr/local/sbin/sshd comes up with: /etc/environment /etc/sshrc that are not there by default in many OSes. At the same time when you build SSH, it links by default -DTIS_MAP_FILE=\"/etc/sshd_tis.map\"
Hey, people, what the hell are you talking about?! Please read previous posts:
When you run chfn (chfn/chsh/chpass is the same binary on FreeBSD), temporary file in /etc/pw.???? will touch, external editor will be execute (env.variable $EDITOR) with uid of user running chfn. Edit your parameters, delete all characters on the last line in the editor (Other information: entry). After this, chfn will crash. No core dumped.
All you can get is a file in /etc/ owned by yourself, but this file is named /etc/pw.XXXX, **NOT** /etc/sshrc, /etc/environment, /etc/sshd_tis.map, or anything else - **NAMED** /etc/pw.XXXX. Until you own whole /etc directory, or suddenly (*p00f*) it will become world-writable, you cannot rename this file - it's always and always /etc/pw.XXXX... So what is wrong with you, stop writing tons of 'what-ifs' if you haven't tested your ideas at least on your own box ;P It's nothing bad to make a mistake, but it's good to at least try before. _______________________________________________________________________ Michal Zalewski [lcamtuf () ids pl] [link / marchew] [dione.ids.pl SYSADM] [Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};: [voice phone: +48 22 813 25 86] <=-=> [cellular phone: +48 501 4000 69] Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
Current thread:
- Re: Owning privileged processes under UnixWare, (continued)
- Re: Owning privileged processes under UnixWare Elias Levy (Dec 06)
- Re: Owning privileged processes under UnixWare Blue Boar (Dec 07)
- rpcclient 2.0.5a crashed services.exe Blue Boar (Dec 13)
- Wireless LANs ? Sebastian Andersson (Dec 14)
- [Fwd: rpcclient 2.0.5a crashed services.exe] Blue Boar (Dec 15)
- BSD chfn bug Pavol Luptak (Dec 20)
- Re: BSD chfn bug Przemyslaw Frasunek (Dec 21)
- Re: BSD chfn bug Warner Losh (Dec 21)
- Re: BSD chfn bug Tellier, Brock (Dec 23)
- Re: BSD chfn bug Stanislav N. Vardomskiy (Dec 25)
- Re: BSD chfn bug Michal Zalewski (Jul 21)
- ssh quirks... Scott D. Yelich (Dec 26)
- Re: ssh quirks... Ryan Permeh (Dec 27)
- Re: ssh quirks... Scott D. Yelich (Dec 27)
- Re: ssh quirks... C.J. Oster (Dec 27)
- Re: ssh quirks... Blue Boar (Dec 27)
- Re: ssh quirks... Ralph the Wonder Llama (Dec 27)
- Re: ssh quirks... LaMont Jones (Dec 27)
- Re: ssh quirks... Kev (Dec 28)
- Re: ssh quirks... Mark Rafn (Dec 28)
- Re: BSD chfn bug Warner Losh (Dec 27)