mailing list archives
Re: [H-BUGTRAQ] Critical Security Problem in 4.4BSD crt0
From: sspoon () CLEMSON EDU (Lex Spoon)
Date: Mon, 3 Feb 1997 19:48:17 -0000
From: A Bruce in the land of the Bruces <brucec () HUMBUG ORG AU>
On Sun, 2 Feb 1997, Thomas H. Ptacek wrote:
> There is a critically important security problem in FreeBSD 2.1.5's C
> runtime support library that will enable anyone with control of the
> environment of a process to cause it to execute arbitrary code. All
> executable SUID programs on the system are vulnerable to this problem.
> On FreeBSD 2.1.5, startup locale processing is enabled by setting the
> environment variable "ENABLE_STARTUP_LOCALE". "startup_setrunelocale()" is
> called if the environment variable "LC_CTYPE" is set as well.
Quick fix (for shell users), 'declare -r' all suspect environment
variables to safe values in the system startup files for the shell.
This doesn't completely close the hole. In the following snippet,
/bin/sh is /bin/bash, in case that matters:
$ export FOO=short
$ echo $FOO
$ declare -r FOO
bash: FOO: read-only variable
$ env FOO=oaeutnhdoeutnhdunthadutnohadoatnuehd sh
$ echo $FOO