Xref: utzoo alt.security:1630 comp.unix.sysv386:783
Path: utzoo!utgpu!cs.utexas.edu!uunet!ssbell!dsndata!wayne
From: wayne@dsndata.uucp (Wayne Schlitt)
Newsgroups: alt.security,comp.unix.sysv386
Subject: Re: Here's how to stop shell escapes from vi
Message-ID: <WAYNE.90Sep27073633@dsndata.uucp>
Date: 27 Sep 90 11:36:33 GMT
References: <2441@sud509.ed.ray.com> <1990Sep18.120450.14590@nstar.uucp>
	<1990Sep20.153105.28394@naitc.naitc.com> <11285:Sep2022:15:2090@kr
	<924@mwtech.UUCP> <PA06YE4@xds13.ferranti.com>
Sender: wayne@dsndata.UUCP
Organization: Design Data
Lines: 23
In-reply-to: peter@ficc.ferranti.com's message of 26 Sep 90 17:46:16 GMT

In article <PA06YE4@xds13.ferranti.com> peter@ficc.ferranti.com (Peter da Silva) writes:
> In article <1990Sep20.153105.28394@naitc.naitc.com> karl@bbs.naitc.com (Karl Denninger) writes:
> > Without source code to "vi" there is NO WAY to prevent this.  Believe me.  
> 
> adb -w /bin/vi
> 
> Just zap the "/bin/sh" and the name of the "shell" variable.

ok, /bin/sh can be zapped easily, but i am not sure about the SHELL
variable.  what to you zap it to?  changing "SHELL" to "XXXXX" just
moves the problem, using unprintable characters probably wont solve it
either.  would zapping the 'S' to a '\0' really work?

looking through the /bin/vi on our hp-ux system, there are also the
strings "shell" and "sh"...  are those for the :shell commands?  do
they need to be zapped?

i havent try any of this, but without source, it would be hard to
verify that all the holes are plugged.  (note that i didnt say
impossible, 'cause with adb, _anything_ is possible  :-)


-wayne