Bugtraq mailing list archives

Re: [H-BUGTRAQ] Critical Security Problem in 4.4BSD crt0

From: sspoon () CLEMSON EDU (Lex Spoon)
Date: Mon, 3 Feb 1997 19:48:17 -0000

  From: A Bruce in the land of the Bruces <brucec () HUMBUG ORG AU>

  On Sun, 2 Feb 1997, Thomas H. Ptacek wrote:

  > There is a critically important security problem in FreeBSD 2.1.5's C
  > runtime support library that will enable anyone with control of the
  > environment of a process to cause it to execute arbitrary code. All
  > executable SUID programs on the system are vulnerable to this problem.
  >
  > On FreeBSD 2.1.5, startup locale processing is enabled by setting the
  > environment variable "ENABLE_STARTUP_LOCALE". "startup_setrunelocale()" is
  > called if the environment variable "LC_CTYPE" is set as well.

  Quick fix (for shell users), 'declare -r' all suspect environment
  variables to safe values in the system startup files for the shell.


This doesn't completely close the hole.  In the following snippet,
/bin/sh is /bin/bash, in case that matters:

        $ export FOO=short
        $ echo $FOO
        short
        $ declare -r FOO
        $ FOO=oaeundoautnhdoaeunthdoaeuthdoautnhd
        bash: FOO: read-only variable
        $ env FOO=oaeutnhdoeutnhdunthadutnohadoatnuehd  sh
        $ echo $FOO
        oaeutnhdoeutnhdunthadutnohadoatnuehd
        $

lex

Current thread:

Critical Security Problem in 4.4BSD crt0 Thomas H. Ptacek (Feb 02)
- Re: [H-BUGTRAQ] Critical Security Problem in 4.4BSD crt0 A Bruce in the land of the Bruces (Feb 03)
  - Re: [H-BUGTRAQ] Critical Security Problem in 4.4BSD crt0 Lex Spoon (Feb 03)
- Problems with locale routines in general... Thomas H. Ptacek (Feb 03)
- <Possible follow-ups>
- Re: Critical Security Problem in 4.4BSD crt0 Dan Cross (Feb 02)
- Re: Critical Security Problem in 4.4BSD crt0 Charles M. Hannum (Feb 03)