A security hole
Daniel R. Levy
levy at ttrdc.UUCP
Fri Mar 11 16:37:15 AEST 1988
In article <357 at pedsga.UUCP>, chip at pedsga.UUCP writes:
> Mild flames accepted for the following statement:
OK, here's a flick of my Bic.
# "Nothing which is 'builtin' to the shell is guarenteed to stay builtin."
# Since many (okay some) UNIX sites also have a source license, if you
# recompile the shell after altering msg.c (change the "pwd" builtin to
# "_pwd" or whatever), then it seems that a call to getcwd would execute
# the pwd in your carefully, although mischiefously (is that a word?)
# setup path to get the desired root privileges.
If you can replace /bin/sh you already have privileges (and /bin/sh is
surely not the only or even the easiest place a system cracker could plant
a Trojan horse under those circumstances), or a system admin was verrrry
careless with permissions on /bin or /bin/sh. If you have your own doctored
copy of "sh" it does you no good if it isn't in /bin/sh. (popen explicitly
uses "/bin/sh").
--
|------------Dan Levy------------| Path: ..!{akgua,homxb,ihnp4,ltuxa,mvuxa,
| an Engihacker @ | <most AT&T machines>}!ttrdc!ttrda!levy
| AT&T Computer Systems Division | Disclaimer? Huh? What disclaimer???
|--------Skokie, Illinois--------|
More information about the Comp.bugs.sys5
mailing list