Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: Unix * weirdness

Re: Unix * weirdness

From: <nascheme_at_ENME.UCALGARY.CA>
Date: Sat, 1 Jan 2000 16:27:10 -0700

On Sat, Jan 01, 2000 at 02:04:37PM -0800, Blue Boar wrote:
> # unlink -proc

The traditional solution is:

    rm ./-proc

> So, I wonder what other kinds of traps can be laid for the root
> user or cron jobs, etc... For example, here's a line from my
> S05RMTMPFILES in /etc/rc2.d dir, on a Solaris 2.6 machine.
> (Which is where this behavior was noticed):
>
> /usr/bin/rm -rf /tmp/*

There is an old trick of putting a file called ``-i'' in your
important directories. That way if you accidently do a ``rm -rf
*'' you will be saved.

Due to the order of expansion in the shell you can't play too
many tricks on root. Something like:

    rm /tmp/*

with a file in /tmp called ``; rm -rf ..'' will not do bad
things. You can still cause lots of problems for poorly written
programs. For example if you had the file mentioned above and a
program that did something like:

    os.system("rm %s" % filename) # Python code

you can imagine what would happen. I wouldn't be surprised to
see code like this around.

> So, if I can place an interestingly names file in /tmp
> (and anyone can) can I get interesting things to happen
> when the machine reboots.

I would hope that the scripts with your OS are more secure than
that. My Debian box uses "find" with "-exec rm -rf -- {} \;".

> For example, can I get a file with spaces in it? How about
> the | (vertical bar) character? How about a ; ?

Of course. AFAIK, the only character disallowed in Unix
filenames is ``/''. NULL is probably also a problem due to C
libraries. It is probably safe to assume that NULLs cannot be in
filenames.

> Is this a really old "feature" that everyone knows about except me?

There are always questions about this in comp.unix.shell. It is
explained in the FAQ.

When writing scripts, "special" characters are a pain due to the
fact the Bourne shell keeps expanding parameters. The Plan 9 rc
shell is much nicer in this regard. Unfortunately it is not
widely used. If you are writing shell code you have to remember
to quote everything. Some useful programs and options I use are:

    xargs -0
    perl -0
    find -print0

For example:

    find /tmp -name '*.bak' -print0 | perl -n0e unlink

is pretty safe. Unfortunately I think the find and xargs options
are GNU extensions.

    Neil 

--
"Only two things are infinite, the universe and human stupidity, and
I'm not sure about the former."   - Albert Einstein
Received on Jan 01 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos