Vulnerability Development mailing list archives

Re: ls bug.

From: "Wodahs Latigid" <wodahs () mail com>
Date: Fri, 15 Feb 2002 13:37:34 +0000

ls reading flags from filename which might lead to root backdoor as a
concept, i.e. cat >-ls;id and the wait for root to ls * .


Actually, its not ls reading from the filename,
but the shell appending the filenames as parameters.
Take for example:
$ ls
-la  123  312
$ ls *
-rw-r--r--    1 someone   users           0 Feb 15 07:24 123
-rw-r--r--    1 someone   users           0 Feb 15 07:24 312
$

The 'ls' command recieves "ls -la 123 321" (as the
shell expands the * wildcard with the names of the
files in the current directory). So this has the
same effect:
$ id *
id: invalid option -- l
Try `id --help' for more information.
$

Although this is a feature rather than a bug, that
doesn't mean that it can't be useful.

For example, say you have a search script that finds
all new files in a certain directory by issuing the
'ls -la *' command. If the attacker were to create
a directory called '-la', it would not be seen by
the script.


- Wodahs

-------------------------------------
http://www.ministryofpeace.co.uk/






-- 

_______________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup

Win a ski trip!
http://www.nowcode.com/register.asp?affiliate=1net2phone3a

Current thread:

ls bug. Ehud Tenenbaum (Feb 15)
- Re: ls bug. Chris Faulhaber (Feb 15)
- Re: ls bug. Blue Boar (Feb 15)
- <Possible follow-ups>
- Re: ls bug. Ehud Tenenbaum (Feb 15)
  - Re: ls bug. Crist J. Clark (Feb 16)
- Re: ls bug. Wodahs Latigid (Feb 15)