Re: Vunerability in Lizards game

Zoltan Hidvegi (hzoli@FRONTIERNET.NET)
Tue, 18 Nov 1997 21:14:49 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Kerri Kraft: "Major Security Flaw in Cybercash 2.1.2"
Previous message: SGI Security Coordinator: "Silicon Graphics Security Advisory 19971103-01-PX - IRIX syserr and"
Maybe in reply to: SUID: "Vunerability in Lizards game"

Joe Zbiciak wrote:
> John Dow said previously:
>
> | - but then again, my system("clear") wasn't particularly
> | elegant either. How about system("/usr/bin/clear")?
>
> That won't work. An attack along these lines will slice through
> that "fix" pretty quickly, if I'm not mistaken.
>
> export IFS=/
> export PATH=.:$PATH
> echo "cp /bin/sh ./root_sh; chmod 4755 ./root_sh" > ./usr
> chmod 755 ./usr
> lizards

Actually recent POSIX shells are immune to this kind of attack, since IFS
is only used to split the result of parameter expansion. No shells under
Linux has this behaviour. This system() call seems to be secure, but it
is still bad practice.

Recent shells disable .bashrc, $ENV etc. processing when euid != uid or
egid != gid and functions are not imported (see the privileged option in
the bash manual).

> "system()" is just not cut out for security.

Definitely. And its performance is also quite bad. It's a waste of
resources to fork/exec a large shell just to execute a tiny program.

Zoltan

Next message: Kerri Kraft: "Major Security Flaw in Cybercash 2.1.2"
Previous message: SGI Security Coordinator: "Silicon Graphics Security Advisory 19971103-01-PX - IRIX syserr and"
Maybe in reply to: SUID: "Vunerability in Lizards game"