Greetings, BOS - Binary Overflow scanner made by 2xs Security team found new bug in the "ls" binary, we tested it on slakcware8.0 and redhat 7.2 both have this bug. Lets go down to business: bash-2.04$ id uid=100(w00p) gid=100(users) groups=100(users) bash-2.04$ ls * BOS exam exim.log.old pwck.log.old ssh1.log sudo.log uuchk.log BOS-Linux-i686-dyanmic examine.c exim.log] rcp?.log strace suid uustat.log chsh.log exim.log procmail.log? ssh.log su.log test uuxqt.log bash-2.04$ So far so good. bash-2.04$ cat >-ls ^D bash-2.04$ bash-2.04$ ls * 0 lrwxrwxrwx 1 root root 22 Feb 10 12:37 BOS -> BOS-Linux-i686-dyanmic 20 -rwxr-xr-x 1 root root 18258 Feb 11 11:38 BOS-Linux-i686-dyanmic 4 -rw-r--r-- 1 w00p users 226 Feb 11 21:14 chsh.log 16 -rwxr-xr-x 1 root root 12984 Feb 11 05:44 exam 4 -rw-r--r-- 1 root root 1759 Feb 11 05:44 examine.c 1492 -rw-r--r-- 1 w00p users 1520686 Feb 11 05:13 exim.log 1492 -rw-r--r-- 1 w00p users 1520686 Feb 12 11:30 exim.log.old 1476 -rw-r--r-- 1 w00p users 1504901 Feb 12 11:32 exim.log] 4 -rw-r--r-- 1 w00p users 187 Feb 12 04:18 procmail.log? 8 -rw-r--r-- 1 w00p users 6772 Feb 10 08:11 pwck.log.old 4 -rw-r--r-- 1 w00p users 226 Feb 12 00:53 rcp?.log 4 -rw-r--r-- 1 root root 226 Feb 11 13:17 ssh.log 4 -rw-r--r-- 1 root root 226 Feb 11 16:47 ssh1.log 4 -rw-r--r-- 1 root root 187 Feb 12 02:48 strace 4 -rw-r--r-- 1 w00p users 187 Feb 10 13:05 su.log 4 -rw-r--r-- 1 w00p users 226 Feb 12 11:43 sudo.log 4 -rw-r--r-- 1 w00p users 687 Feb 10 09:40 suid 4 -rw-r--r-- 1 root root 9 Feb 11 06:16 test 4 -rw-r--r-- 1 w00p users 226 Feb 12 04:17 uuchk.log 4 -rw-r--r-- 1 w00p users 226 Feb 12 12:59 uustat.log 88 -rw-r--r-- 1 w00p users 83272 Feb 12 09:39 uuxqt.log bash-2.04$ ls reading flags from filename which might lead to root backdoor as a concept, i.e. cat >-ls;id and the wait for root to ls * . Again this is only an idea we couldnt get it to work just yet, nevertheless its still a bug and can be very dengerous. This bug was found by the 2xs Security Research team using BOS program, soon to be open source project. Should anyone have any questions or comments email us to Ehud Tenenbaum <analyzerat_private> and/or Izik <izikat_private> and/or Mixter <mixterat_private> -- ------------ Ehud Tenenbaum C.T.O & Project Manager 2xs LTD. Tel: 972-9-9519980 Fax: 972-9-9519982 E-Mail: ehudat_private ------------ Have A Safe Day
This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 04:32:19 PST