Netscape 6.01A ksh "here document" vulnerability.

From: Larry W. Cashdollar (lwcat_private)
Date: Tue Aug 28 2001 - 05:51:55 PDT

Next message: johncybpkat_private: "easy remote detection of a running tripwire for webpages system"

Previous message: Marcin Jackowski: "javascript can write anything to windows98 registry"
In reply to: Paul Szabo: "Re: Solaris Patchadd symlink exploit."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

   Here is another example of the ksh "here document" vulnerability. 
Except it is for Netscape 6.01a on Solaris 2.x.  This creates the same
symlink vulnerability as the previous patchadd post.  Except your more
likely to destroy user files rather than system files. 

run-mozilla.sh creates a "here document" in function moz_usage().

#!/bin/sh
---snip--
.
.
.

moz_usage()
{

  cat << EOF

Usage:  ${cmdname} [options] [program]

  options:

-snip-
.
.
. 
EOF

Temp dir listing:

pangea #ls -l /tmp
-rw-r--r--   1 lwc     user        399 Aug 28 08:38 sh10040

Truss output:

1004:   stat64("/tmp/sh10040", 0xFFBEEDD8)              Err#2 ENOENT
1004:   creat64("/tmp/sh10040", 0666)                   = 3
1004:   unlink("/tmp/sh10040")                          = 0


Solution? Use echo or another shell.


-- Larry
   http://vapid.dhs.org:8080

Next message: johncybpkat_private: "easy remote detection of a running tripwire for webpages system"
Previous message: Marcin Jackowski: "javascript can write anything to windows98 registry"
In reply to: Paul Szabo: "Re: Solaris Patchadd symlink exploit."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 28 2001 - 20:23:37 PDT