Home page logo

bugtraq logo Bugtraq mailing list archives

Re: tee see shell problems
From: dsg () linus mitre org (David S. Goldberg)
Date: Mon, 16 Sep 1996 15:19:48 -0400

I just tested a variation of this exploit with bash 1.14.6(1)
running on Linux 2.0.13.  By using my variation I managed to become
root. I find this frightening.  In my variation I wasn't as subtle.
To use a large portion of the original exploit.  Hopefully things
like this won't happen, but it is possible.  I know that I will
forever be much more careful when cd'ing from now on.  This is a
very simplistic example, but I am sure more difficult ones can be

I tried the same with bash 1.14.6(1) on Solaris 2.5 (sparc, though
theoretically it shouldn't matter), SunOS 4.1.4, BSDI 2.0.1 and IRIX
5.3, and was unable to perform the exploit using the * wildcard
expansion (if I typed in the directory name with the backquote's
directly, it did work, which I would expect).  I ran bash under truss
(on Solaris) and sure enough, the backquote expansion is simply not
done.  The * expansion generates the backquoted file name, which is
passed to chdir.  I was able to perform this exploit with tcsh 6.05 on
all the above platforms, but not with tcsh 6.04.  I don't know why it
worked for bash under linux, but I don't have a linux box available to
me to check it out.

Dave Goldberg
Post: The Mitre Corporation\MS B305\202 Burlington Rd.\Bedford, MA 01730
Phone: 617-271-3887
Email: dsg () mitre org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]