Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [H-BUGTRAQ] Critical Security Problem in 4.4BSD crt0
From: sspoon () CLEMSON EDU (Lex Spoon)
Date: Mon, 3 Feb 1997 19:48:17 -0000

  From: A Bruce in the land of the Bruces <brucec () HUMBUG ORG AU>

  On Sun, 2 Feb 1997, Thomas H. Ptacek wrote:

  > There is a critically important security problem in FreeBSD 2.1.5's C
  > runtime support library that will enable anyone with control of the
  > environment of a process to cause it to execute arbitrary code. All
  > executable SUID programs on the system are vulnerable to this problem.
  > On FreeBSD 2.1.5, startup locale processing is enabled by setting the
  > environment variable "ENABLE_STARTUP_LOCALE". "startup_setrunelocale()" is
  > called if the environment variable "LC_CTYPE" is set as well.

  Quick fix (for shell users), 'declare -r' all suspect environment
  variables to safe values in the system startup files for the shell.

This doesn't completely close the hole.  In the following snippet,
/bin/sh is /bin/bash, in case that matters:

        $ export FOO=short
        $ echo $FOO
        $ declare -r FOO
        $ FOO=oaeundoautnhdoaeunthdoaeuthdoautnhd
        bash: FOO: read-only variable
        $ env FOO=oaeutnhdoeutnhdunthadutnohadoatnuehd  sh
        $ echo $FOO


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]