> >>> % Already tried, and he's not interested, but I did find out what script
> >>> % he's using...
> >>> %
> >>> % Q> #!/bin/sh
> >>> % Q> XYZZY="`find / -name core`"
> >>> % Q> for LOOP in `find $XYZZY | sort -ru` ; do
> >>> % Q> rm -fr $LOOP
> >>> % Q> done
> >> You have GOT to be kidding me!?!?!
> > Crazy as it sounds, nope...
> >> Oh beautiful! How about this instead... If you know the name
> >> of the script (say /usr/local/stupid_BOFH_admin/rmcore) then use this
> >> instead:
> >> mkdir -p "BOFH /usr/local/stupid_BOFH_admin/rmcore /core"
> >> Or how about this:
> >> mkdir -p '"BOFH | chmod 666 /etc/passwd" /core'
> >> Or...
> >> mkdir -p '"BOFH ; chmod 666 /etc/passwd" /core'
> >> Watch precise quoting carefully. That make take a little fine
> >> tuning but you get the point...
> > How about...
> Guys, please try to avoid showing your BAD script-writers knowledge when you
> criticize sripts written by others. Of course this script will allow you to
> remove [almost] any file in system, but this script WILL NOT ALLOW you to
> execute command from root. Why ? You are joking ? You are really could not
> understood ? Ok. Take a look:
I was making a point, not providing a receipe to burn someone. I even
mentioned that it may "take a little fine tuning but you get the point."
Apparently you didn't. The point was that this clown did NOT quote
a shell variable expansion. I intentionally did not point specifically at
that and left it to be a homework excersize. It doesn't MATTER that the
exact string I provided wouldn't work. It really wasn't worth the trouble to
provide a live fire exploit and might potentially cause problems. What was
important was the idea that shell meta characters were not even being
considered in the discussion. Unquoted shell variables are an invitation
to disaster. Are you implying that his code is totally immune to shell
meta character exploits? If you are that serious, I'll let some of my
engineers at Internet Security Systems loose and let them come up with
a few LIVE examples to entertain you.
And I have much MUCH more destructive toys in my arsenal... (How
about hashing his entire partition so you can't even recover the superblock).
I personally think that it would be much more appropriate for him
to squash his sysadmin before that dude finds a way to be a subject of one
of my security advisories... With that level of incompetance, I doubt he
(the BOFH) will ever rise to that level of prominance, but one can never tell.
Stupidity and incompetance somehow seem to find a way to rise to the surface.
> -- cut --
> ++ find / -name core
> + XYZZY=/tmp/"BOFH | chmod 666 /etc/passwd" /core
> ++ find '/tmp/"BOFH' '|' chmod 666 '/etc/passwd"' /core
> find: /tmp/"BOFH: No such file or directory
> find: |: No such file or directory
> find: chmod: No such file or directory
> find: 666: No such file or directory
> find: /etc/passwd": No such file or directory
> find: /core: No such file or directory
> ++ sort -ru
> -- cut --
>
> See ? All metacharacters are correctly hided by bash ... Not in XYZZY= line
> though, but this is minor error in "set -x"... So all you commands will not
> be executed... But you still could remove any file on your choice :-)) This
> should be enough...
It IS more than enough to be able to remove arbitrary files. Like
another reader remarked, let's not be pikers, let's "rm -rf /". The idea
of removing /dev is amusing as well. It doesn't destroy any information.
everything is totally recoverable. And it's annoying as hell. I LIKE IT.
It really does beat some of the really destructive ideas I would apply to
the problem (I tend toward overkill - it saves wear and tear on the cripples).
To say that bash hides all the meta characters, is still making a
brash assumption, though. It remains possible, although possibly difficult,
to set up the correct combinations of meta characters and quotes to execute
user arbitrary commands or scripts... It makes for an amusing hobby that
I just happen to get paid to do... :-)
Mike
-- Michael H. Warfield | (770) 985-6132 | mhw@WittsEnd.com (The Mad Wizard) | (770) 925-8248 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0xDF1DD471 | possible worlds. A pessimist is sure of it!-- Michael H. Warfield, | Voice: (678)443-6000 (678)443-6123 Senior Researcher - X-Force | Fax: (678)443-6477 Internet Security Systems, Inc. | E-Mail: mhw@iss.net mhw@wittsend.com 6600 Peachtree Dunwoody RD NE | http://www.iss.net/ 300 Embassy Row, Suite 500 | http://www.wittsend.com/mhw/ Atlanta, GA 30328 | PGP Key: 0xDF1DD471- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/