Bugtraq mailing list archives
Re: [H-BUGTRAQ] Critical Security Problem in 4.4BSD crt0
From: sspoon () CLEMSON EDU (Lex Spoon)
Date: Mon, 3 Feb 1997 19:48:17 -0000
From: A Bruce in the land of the Bruces <brucec () HUMBUG ORG AU> On Sun, 2 Feb 1997, Thomas H. Ptacek wrote: > There is a critically important security problem in FreeBSD 2.1.5's C > runtime support library that will enable anyone with control of the > environment of a process to cause it to execute arbitrary code. All > executable SUID programs on the system are vulnerable to this problem. > > On FreeBSD 2.1.5, startup locale processing is enabled by setting the > environment variable "ENABLE_STARTUP_LOCALE". "startup_setrunelocale()" is > called if the environment variable "LC_CTYPE" is set as well. Quick fix (for shell users), 'declare -r' all suspect environment variables to safe values in the system startup files for the shell.
This doesn't completely close the hole. In the following snippet, /bin/sh is /bin/bash, in case that matters: $ export FOO=short $ echo $FOO short $ declare -r FOO $ FOO=oaeundoautnhdoaeunthdoaeuthdoautnhd bash: FOO: read-only variable $ env FOO=oaeutnhdoeutnhdunthadutnohadoatnuehd sh $ echo $FOO oaeutnhdoeutnhdunthadutnohadoatnuehd $ lex
Current thread:
- Critical Security Problem in 4.4BSD crt0 Thomas H. Ptacek (Feb 02)
- Re: [H-BUGTRAQ] Critical Security Problem in 4.4BSD crt0 A Bruce in the land of the Bruces (Feb 03)
- Re: [H-BUGTRAQ] Critical Security Problem in 4.4BSD crt0 Lex Spoon (Feb 03)
- Problems with locale routines in general... Thomas H. Ptacek (Feb 03)
- <Possible follow-ups>
- Re: Critical Security Problem in 4.4BSD crt0 Dan Cross (Feb 02)
- Re: Critical Security Problem in 4.4BSD crt0 Charles M. Hannum (Feb 03)
- Re: [H-BUGTRAQ] Critical Security Problem in 4.4BSD crt0 A Bruce in the land of the Bruces (Feb 03)