Vulnerability Development mailing list archives

ls bug.

From: Ehud Tenenbaum <analyzer () 2xss com>
Date: Fri, 15 Feb 2002 08:27:38 +0200

Greetings,

BOS - Binary Overflow scanner made by 2xs Security team
found new bug in the "ls" binary, we tested it on slakcware8.0
and redhat 7.2 both have this bug.

Lets go down to business:

bash-2.04$ id
uid=100(w00p) gid=100(users) groups=100(users)
bash-2.04$ ls *
BOS                     exam       exim.log.old   pwck.log.old 
ssh1.log  sudo.log  uuchk.log
BOS-Linux-i686-dyanmic  examine.c  exim.log]      rcp?.log     
strace    suid      uustat.log
chsh.log                exim.log   procmail.log?  ssh.log      
su.log    test      uuxqt.log
bash-2.04$ 

So far so good.

bash-2.04$ cat >-ls
^D
bash-2.04$ 
bash-2.04$ ls *
   0 lrwxrwxrwx   1 root     root           22 Feb 10 12:37 BOS ->
BOS-Linux-i686-dyanmic
  20 -rwxr-xr-x   1 root     root        18258 Feb 11 11:38
BOS-Linux-i686-dyanmic
   4 -rw-r--r--   1 w00p     users         226 Feb 11 21:14 chsh.log
  16 -rwxr-xr-x   1 root     root        12984 Feb 11 05:44 exam
   4 -rw-r--r--   1 root     root         1759 Feb 11 05:44 examine.c
1492 -rw-r--r--   1 w00p     users     1520686 Feb 11 05:13 exim.log
1492 -rw-r--r--   1 w00p     users     1520686 Feb 12 11:30 exim.log.old
1476 -rw-r--r--   1 w00p     users     1504901 Feb 12 11:32 exim.log]
   4 -rw-r--r--   1 w00p     users         187 Feb 12 04:18
procmail.log?
   8 -rw-r--r--   1 w00p     users        6772 Feb 10 08:11 pwck.log.old
   4 -rw-r--r--   1 w00p     users         226 Feb 12 00:53 rcp?.log
   4 -rw-r--r--   1 root     root          226 Feb 11 13:17 ssh.log
   4 -rw-r--r--   1 root     root          226 Feb 11 16:47 ssh1.log
   4 -rw-r--r--   1 root     root          187 Feb 12 02:48 strace
   4 -rw-r--r--   1 w00p     users         187 Feb 10 13:05 su.log
   4 -rw-r--r--   1 w00p     users         226 Feb 12 11:43 sudo.log
   4 -rw-r--r--   1 w00p     users         687 Feb 10 09:40 suid
   4 -rw-r--r--   1 root     root            9 Feb 11 06:16 test
   4 -rw-r--r--   1 w00p     users         226 Feb 12 04:17 uuchk.log
   4 -rw-r--r--   1 w00p     users         226 Feb 12 12:59 uustat.log
  88 -rw-r--r--   1 w00p     users       83272 Feb 12 09:39 uuxqt.log
bash-2.04$

ls reading flags from filename which might lead to root backdoor as a
concept, i.e. cat >-ls;id and the wait for root to ls * .

Again this is only an idea we couldnt get it to work just yet,
nevertheless
its still a bug and can be very dengerous.

This bug was found by the 2xs Security Research team using BOS program,
soon to be open source project.

Should anyone have any questions or comments email us to
Ehud Tenenbaum <analyzer () 2xss com> and/or 
Izik <izik () 2xss com> and/or
Mixter <mixter () 2xss com>

-- 
------------
Ehud Tenenbaum
C.T.O & Project Manager 
2xs LTD. 
Tel: 972-9-9519980
Fax: 972-9-9519982
E-Mail: ehud () 2xss com
------------ 
                                 Have A Safe Day

Current thread:

ls bug. Ehud Tenenbaum (Feb 15)
- Re: ls bug. Chris Faulhaber (Feb 15)
- Re: ls bug. Blue Boar (Feb 15)
- <Possible follow-ups>
- Re: ls bug. Ehud Tenenbaum (Feb 15)
  - Re: ls bug. Crist J. Clark (Feb 16)
- Re: ls bug. Wodahs Latigid (Feb 15)