Date: Fri, 11 Sep 1998 07:39:59 +1200 (NZST) From: Andrew McNaughton <andrew@squiz.co.nz> To: Jay Tribick <netadmin@fastnet.co.uk> Cc: freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) Message-ID: <Pine.BSF.3.96.980911052523.4130A-100000@aniwa.sky> In-Reply-To: <Pine.BSF.3.96.980910145120.408m-100000@bofh.fast.net.uk>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 10 Sep 1998, Jay Tribick wrote: > | >Was just having a look in /var/log the other day and spotted > | >a file called sendmail.st, wondering what it was I cat'd it > | >and here's what it did: > | > > | >bofh$ cat sendmail.st > | >`ay5habf33*`ma}`)`Jj]: Jsu-2.01$ xtermxterm > | >su: xtermxterm: command not found > | >bofh$ > | > > | >This seems quite scarey to me, couldn't someone embed 'rm -rf /' > | >within a text file and then, if root cats the file it nukes > | >their system? > | It is a binary file. > | Terminals don't like it when you cat a binary. > > It's not the fact that it was a binary that puzzled me but that > it had managed to execute a command on the shell just by me > cat'ing the file. Forgot to mention that it was in an xterm > and doesn't affect Virtual Consoles. This is the key point. If you could get something executed merely by having it passed to a terminal then all sorts of exploits presumably become possible. I haven't gone through the binary you sent, and I don't know very much about xterm escape sequences and so forth, but scanning through the man page for xterm, the 'string' action stands out as potentially highly dangerous unless care has been taken to limit it's impact. I tried cat'ing a couple of binaries and sure enough I got heaps of 'command not found' errors. all of them are full of 'xtermxterm' type stuff which leads me to believe that dangerous text gets this substituted into what goes to the shell. Probably this means it's mostly safe. If an attacker can get an executable file into the path with a name like '2cxterm1' then they can use this mechanism to get it executed. There might be an occasion where this was useful, but mostly an account is not much more secure than it's path anyway. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980911052523.4130A-100000>