Bugtraq mailing list archives
Re: tee see shell problems
From: dsg () linus mitre org (David S. Goldberg)
Date: Mon, 16 Sep 1996 15:19:48 -0400
I just tested a variation of this exploit with bash 1.14.6(1) running on Linux 2.0.13. By using my variation I managed to become root. I find this frightening. In my variation I wasn't as subtle. To use a large portion of the original exploit. Hopefully things like this won't happen, but it is possible. I know that I will forever be much more careful when cd'ing from now on. This is a very simplistic example, but I am sure more difficult ones can be devised.
I tried the same with bash 1.14.6(1) on Solaris 2.5 (sparc, though theoretically it shouldn't matter), SunOS 4.1.4, BSDI 2.0.1 and IRIX 5.3, and was unable to perform the exploit using the * wildcard expansion (if I typed in the directory name with the backquote's directly, it did work, which I would expect). I ran bash under truss (on Solaris) and sure enough, the backquote expansion is simply not done. The * expansion generates the backquoted file name, which is passed to chdir. I was able to perform this exploit with tcsh 6.05 on all the above platforms, but not with tcsh 6.04. I don't know why it worked for bash under linux, but I don't have a linux box available to me to check it out. -- Dave Goldberg Post: The Mitre Corporation\MS B305\202 Burlington Rd.\Bedford, MA 01730 Phone: 617-271-3887 Email: dsg () mitre org
Current thread:
- tee see shell problems test (Sep 13)
- <Possible follow-ups>
- Re: tee see shell problems David S. Goldberg (Sep 16)
- Re: tee see shell problems Alan Cox (Sep 17)
- Re: tee see shell problems Oleg Girko (Sep 17)
- Re: tee see shell problems Paul Szabo (Sep 17)