Re: csh/tcsh vulnerability

From: Valdis.Kletnieks@vt.edu
Date: 06/27/02


To:  ƿ <dragory1@hotmail.com>
From: Valdis.Kletnieks@vt.edu
Date: Thu, 27 Jun 2002 01:32:18 -0400

On Thu, 27 Jun 2002 03:41:57 -0000, =?ks_c_5601-1987?B?waQgyMa/tQ==?= <dragory1@hotmail.com> said:
> OS : Solaris 8
>
> [sf280r]#/home/dragory> bash
> [dragory@sf280r dragory]$ export HOME=`perl -e 'print "x"x5000'`
> [dragory@sf280r dragory]$ su
> Password:(input correct password)

So at this point, you could get root if you wanted, since you supplied the
CORRECT password. If you hadn't set $HOME, you'd have a perfectly valid
and authorized root shell.

> Segmentation Fault (core dumped)
> [dragory@sf280r dragory]$ ls -l core
> -rw------- 1 root 580464 Jun 27 12:29 core
> [sf280r]#/home/dragory> gdb -q tcsh core
> (no debugging symbols found)...Core was generated by `tcsh'.
> Program terminated with signal 11, Segmentation Fault.
> #0 0x29be4 in doglob ()

And once you *had* root, tcsh blew up because $HOME was bad. What I'd
consider poor form - it's generally impolite to crash if you're a shell. ;)

> Is this vulnerable?

Probably not - all you're managing to do is crash the shell that you
had already gained access to. To get a vulnerability out of it,
you would need to do one of two things:

1) Find a way to get /bin/su to core even if you *dont* supply the correct
password.

2) Find some *other* way to get the system to run tcsh as root with a bad $HOME.

-- 
				Valdis Kletnieks
				Computer Systems Senior Engineer
				Virginia Tech




Relevant Pages

  • PermitRootLogin (was: Re: Tightening SSH access)
    ... I just tried configuring one of the servers to disallow root login. ... you got the correct password (I know that guessing the root password ... IMHO, if the server must wait until the time to refuse login, then ...
    (comp.os.linux.security)
  • Re: How to allow root to use POP3 from local network?
    ... >>root will authenticate just fine. ... >>even with the correct password. ... > Please forward your mail to an user account. ... Many users of POP3 use SSL to access it. ...
    (comp.os.linux.security)
  • Re: SSHD Help?
    ... I think somethings wrong because even when I log on root locally on the box ... This is the correct password because I am logging ... in as root when the machine boots up. ... account to be able to use the su command or install sudo, ...
    (freebsd-questions)
  • su fails with ": No such file or directory"
    ... I'm using RedHat 9.0 and "suddenly" I can't su to root (but another ... session and user is logged in as root). ... correct password at the "Password: " prompt, I get a ": No such file or ...
    (comp.os.linux.misc)
  • [UNIX] Multiple Security Vulnerabilities in Common UNIX Printing System (CUPS)
    ... A local vulnerability in the product allows attackers to gain elevated ... attackers in the worst of the scenarios to gain root privileges. ... Since an attacker has control over both element and value, ... exploit ran against test platform built against glibc-2.2.4-18.7.0.8: ...
    (Securiteam)