Re: sperl 5.00503 (and newer ;) exploit

[Olaf Kirch <okir () CALDERA DE>]

On Sat, Aug 05, 2000 at 07:19:36PM +0200, Michal Zalewski wrote:
> c) /bin/mail has undocumented feature; if interactive=something, it will
>    interpret ~! sequence even if not running on the terminal;

Well, some "unfortunate" features come back again and again. I recall
INN's control scripts used to have a similar problem, three years ago.

I'm sort of torn between whether to blame sperl for using mail rather
than syslog, or for doing so without cleaning up the environment.
Apart from the ~! expansion problem, there seems to be at least
another one lurking which is that it'll try to load ~/.mailrc, and
~ is replaced with the value of $HOME.

Any setuid root program that does an exec() somewhere is just a less
user friendly version of su. I have a wonderful proof of this claim,
but unfortunately the margin is too small to hold it :-)

Olaf
--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okir () monad swb de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okir () caldera de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.