From owner-freebsd-security Thu Sep 10 12:41:13 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA08048 for freebsd-security-outgoing; Thu, 10 Sep 1998 12:41:13 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from aniwa.sky (pppk-12.igrin.co.nz [202.49.245.91]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA08012 for ; Thu, 10 Sep 1998 12:40:57 -0700 (PDT) (envelope-from andrew@squiz.co.nz) Received: from localhost (andrew@localhost) by aniwa.sky (8.8.7/8.8.7) with SMTP id HAA05173; Fri, 11 Sep 1998 07:40:00 +1200 (NZST) (envelope-from andrew@squiz.co.nz) Date: Fri, 11 Sep 1998 07:39:59 +1200 (NZST) From: Andrew McNaughton X-Sender: andrew@aniwa.sky Reply-To: andrew@squiz.co.nz To: Jay Tribick cc: freebsd-security@FreeBSD.ORG Subject: Re: Err.. cat exploit.. (!) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 10 Sep 1998, Jay Tribick wrote: > | >Was just having a look in /var/log the other day and spotted > | >a file called sendmail.st, wondering what it was I cat'd it > | >and here's what it did: > | > > | >bofh$ cat sendmail.st > | >`ay5habf33*`ma}`)`Jj]: Jsu-2.01$ xtermxterm > | >su: xtermxterm: command not found > | >bofh$ > | > > | >This seems quite scarey to me, couldn't someone embed 'rm -rf /' > | >within a text file and then, if root cats the file it nukes > | >their system? > | It is a binary file. > | Terminals don't like it when you cat a binary. > > It's not the fact that it was a binary that puzzled me but that > it had managed to execute a command on the shell just by me > cat'ing the file. Forgot to mention that it was in an xterm > and doesn't affect Virtual Consoles. This is the key point. If you could get something executed merely by having it passed to a terminal then all sorts of exploits presumably become possible. I haven't gone through the binary you sent, and I don't know very much about xterm escape sequences and so forth, but scanning through the man page for xterm, the 'string' action stands out as potentially highly dangerous unless care has been taken to limit it's impact. I tried cat'ing a couple of binaries and sure enough I got heaps of 'command not found' errors. all of them are full of 'xtermxterm' type stuff which leads me to believe that dangerous text gets this substituted into what goes to the shell. Probably this means it's mostly safe. If an attacker can get an executable file into the path with a name like '2cxterm1' then they can use this mechanism to get it executed. There might be an occasion where this was useful, but mostly an account is not much more secure than it's path anyway. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message