Bugtraq mailing list archives
Re: SunOS exploit.
From: dreish () IZZY NET (Daniel Reish)
Date: Tue, 20 May 1997 05:40:32 -0400
On Sun, 18 May 1997, Trevor Linton wrote: [...]
tcsh and some other shells i remember don't allow USER and LOGNAME modifying. :\
Anyways here's a rough patch:
[...]
3) possibly get the programmers of bash to fix it so USER and
LOGNAME can't be modified unless it's super-user.
This isn't a fix. Anyone who could understand this vulnerability well enough to exploit it would also understand how to use execve(2). Security doesn't come from user programs like the shell. It comes from the OS. (One hopes it does, at least.) In this case, the fix is to realize that environment variables don't contain trusted information, and to bear this in mind while rewriting the broken passwd commands. In a way, the act of "fixing" shells to paper over this fact has the potential to do more damage than good, since it might lull some programmers into believing that $USER really _is_ to be trusted. It certainly won't stop any attacker with the least bit of determination. -- Dan
Current thread:
- Irix and WWW Yuri Volobuev (May 16)
- SunOS exploit. Trevor Linton (May 18)
- Re: SunOS exploit. Christopher X. Candreva (May 19)
- Re: SunOS exploit. Austin Schutz (May 19)
- Re: SunOS exploit. Daniel Reish (May 20)
- Re: SunOS exploit. Christopher X. Candreva (May 19)
- Re: Irix and WWW James Bonfield (May 19)
- Re: Irix and WWW Bill Paul (May 19)
- SunOS exploit. Trevor Linton (May 18)