Re: [Full-Disclosure] SSH Exploit Request
Valdis.Kletnieks_at_vt.edu
Date: 11/15/03
- Previous message: Pentest Security Advisories: "Re: [Full-Disclosure] Re: Serious flaws in bluetooth security lead to disclosure of personal data"
- In reply to: Jeremiah Cornelius: "Re: [Full-Disclosure] SSH Exploit Request"
- Next in thread: Rodrigo Barbosa: "Re: [Full-Disclosure] SSH Exploit Request"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Jeremiah Cornelius <jeremiah@nur.net> Date: Sat, 15 Nov 2003 10:44:50 -0500
On Fri, 14 Nov 2003 22:21:30 PST, Jeremiah Cornelius said:
> Solaris ('til v 7, at least) keeps a Bekeley-syntax shutdown in
> /usr/ucb/bin/
Remember what I said about "what happens if you set your root login shell to be
/usr/local/bin/glitzy-shell?". Well, I've got a nice story about Solaris and
/usr/ucb.
I'm one of the gang of inindicted co-conspirators who are to blame for the
Center for Internet Security benchmarks. One of the things the Solaris
benchmark includes is cut-and-paste code to implement each recommendation. So
anyhow, we get feedback from one site, complaining that some of their
configuration files now have literal backslash tee backslash tee backslash tee
where there should be a sequence of 3 tabs.
I finally tracked that one down to the fact that the Solaris shell 'echo'
builtin actually *checks* $PATH to see if /usr/ucb is in it, and if so, if it's
before or after /usr/bin, and then emulates a SysV or BSD echo. And the BSD
echo doesn't handle escape sequences the same way..... Whoops. We got to go
through and replace all the echo's with printf's.
Yes, a bug in our code. However, one totally unexpected, even by any of the
large number of Solaris experts, and it didn't crop up on the first several
hundred or thousand boxes it was tested on....
And *that* sort of bug is the one that answers the question "How could patching
XYZ *possibly* take down a server?".....
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- application/pgp-signature attachment: stored
- Previous message: Pentest Security Advisories: "Re: [Full-Disclosure] Re: Serious flaws in bluetooth security lead to disclosure of personal data"
- In reply to: Jeremiah Cornelius: "Re: [Full-Disclosure] SSH Exploit Request"
- Next in thread: Rodrigo Barbosa: "Re: [Full-Disclosure] SSH Exploit Request"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
