8lgm's SCO "at" hole

Justin Mason (jmason@iona.ie)
Fri, 09 Dec 1994 12:49:22 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Christopher Samuel: "Re: Race conditions"
Previous message: Gilles SOULET: "SunOS's xterm pb : again !"
Next in thread: Karl Strickland: "Re: 8lgm's SCO "at" hole"

[8lgm]-Advisory-10-EXPLOIT describes a hole where a setgid program runs
/bin/pwd with popen(3).

In case you don't know, this is the way that SunOS, as well as SCO,
performs the getcwd() call. Other versions of UNIX may also implement
it this way, although Solaris' getwd() doesn't (sorry folks -- don't
have enough UNIX machines with trace commands!).

trace/truss -f this C code to check:

#include <stdio.h>
main () { char x[1024]; getcwd(x, 1024); printf ("%s", x); }

If you see a fork or vfork, your getcwd runs /bin/pwd.

If you have any setuid programs that call getcwd(), make sure they
sanitise their environment beforehand. Another thing to watch out
for...

--j.

Next message: Christopher Samuel: "Re: Race conditions"
Previous message: Gilles SOULET: "SunOS's xterm pb : again !"
Next in thread: Karl Strickland: "Re: 8lgm's SCO "at" hole"