From owner-freebsd-security  Fri Sep 11 14:21:58 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA12232
          for freebsd-security-outgoing; Fri, 11 Sep 1998 14:21:58 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from stage1.thirdage.com (stage1.ThirdAge.com [204.74.82.151])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA12222
          for <security@FreeBSD.ORG>; Fri, 11 Sep 1998 14:21:53 -0700 (PDT)
          (envelope-from jal@ThirdAge.com)
Received: from gigi (gigi.ThirdAge.com [204.74.82.169])
	by stage1.thirdage.com (8.8.5/8.8.5) with SMTP id OAA22328;
	Fri, 11 Sep 1998 14:17:17 -0700 (PDT)
Message-Id: <3.0.5.32.19980911142102.009c86d0@204.74.82.151>
X-Sender: jal@204.74.82.151
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Fri, 11 Sep 1998 14:21:02 -0700
To: Jay Tribick <netadmin@fastnet.co.uk>, security@FreeBSD.ORG
From: Jamie Lawrence <jal@ThirdAge.com>
Subject: Re: cat exploit 
Cc: Snob Art Genre <benedict@echonyc.com>
In-Reply-To: <Pine.BSF.3.96.980911090428.4232A-100000@bofh.fast.net.uk>
References: <Pine.GSO.4.02.9809110115070.27098-100000@echonyc.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 09:09 AM 9/11/98 +0100, Jay Tribick wrote:
>
>| > >How about something more practical? Like being able to turn off this
>| > >"feature".
>| > 
>| > "rm /bin/cat"
>
>        ^- Not very practical, it would break a lot of scripts

Sigh. Most people noticed that I was being flip.

>| I'd like to hear a wider variety of opinions on the matter -- in
>| particular, I wonder if anyone still uses the feature for anything, and
>| if it's been exploited.  I don't understand why you're so dismissive
>| about it.

I'm dismissive of it because the behaviour has been known for a very,
very long time. It is defined behaviour, and no worse than a lot of
other gotchas that exist in *nix. I thought everyone learned about this
by having someone else annoy them with ^Gs until they figured it out.
Guess not.

>I think we've had enough replies on this thread - I still think it
>/may/ be exploitable if you had a . in your path and within the
>tarball was a file called xtermxterm.. but, let's drop it here
>before it gets out of hand :)

It is 'exploitable' in ways that have nothing to do with your $PATH.
Much in the same way shells are 'exploitable' because you can
compromise someone's account by convincing them to run an arbitrary
script you wrote (only more obscurely so).

>Anyone wants to reply to this, do it privately please.

I would have, if there hadn't been misconceptions to be cleared up.

-j

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message