From owner-freebsd-security Thu Sep 10 12:09:17 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA01126 for freebsd-security-outgoing; Thu, 10 Sep 1998 12:09:17 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from alpha.sea-to-sky.net (alpha.sea-to-sky.net [204.244.200.240]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA01111 for ; Thu, 10 Sep 1998 12:09:13 -0700 (PDT) (envelope-from sreid@alpha.sea-to-sky.net) Received: (from sreid@localhost) by alpha.sea-to-sky.net (8.9.1a/8.8.7) id MAA21122; Thu, 10 Sep 1998 12:06:20 -0700 Date: Thu, 10 Sep 1998 12:06:20 -0700 (PDT) From: Steve Reid To: Jay Tribick cc: security@FreeBSD.ORG Subject: Re: cat exploit In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Sep 1998, Jay Tribick wrote: > cat the file INSTALL to find out what you need to do - it would be > relatively simple to embed a command in there to just rm -rf / & your > hd! steve@BitBucket:/home/steve% cat /dev/urandom [barf] ^C steve@BitBucket:/home/steve% 1;2cxterm1;2cxterm1;2cxterm1;2c1;2cx term1;2c1;2cxterm1;2c1;2c I tried it several times and I couldn't get it to produce anything other than "1;2c" and "xterm", although it did completely freeze my xterm once (scrollbars didn't even work). It never seemed to embed an enter character. I have, on occasion, cat'ed a file and seen the "zsh: command not found: xtermxtermxterm" but I think that was caused by me typing ahead without noticing the extra garbage on the command line. In any case, it looks like the worst that could happen is that a binary named with some combination of those strings could be exectued, IF IT IS IN YOUR PATH. I can't think of any "evil" command that can be built using just those strings. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message