Path: utzoo!mnetor!uunet!husc6!uwvax!oddjob!gargoyle!att-ih!ttrdc!levy
From: levy@ttrdc.UUCP (Daniel R. Levy)
Newsgroups: comp.bugs.sys5
Subject: Re: A security hole
Message-ID: <2230@ttrdc.UUCP>
Date: 11 Mar 88 06:37:15 GMT
References: <181@wsccs.UUCP> <388@koel.rmit.oz> <357@pedsga.UUCP>
Organization: AT&T, Skokie, IL
Lines: 23
Keywords: shell, secure

In article <357@pedsga.UUCP>, chip@pedsga.UUCP writes:
> Mild flames accepted for the following statement:

OK, here's a flick of my Bic.

# "Nothing which is 'builtin' to the shell is guarenteed to stay builtin."
# Since many (okay some) UNIX sites also have a source license, if you 
# recompile the shell after altering msg.c (change the "pwd" builtin to 
# "_pwd" or whatever), then it seems that a call to getcwd would execute 
# the pwd in your carefully, although mischiefously (is that a word?) 
# setup path to get the desired root privileges.

If you can replace /bin/sh you already have privileges (and /bin/sh is
surely not the only or even the easiest place a system cracker could plant
a Trojan horse under those circumstances), or a system admin was verrrry
careless with permissions on /bin or /bin/sh.  If you have your own doctored
copy of "sh" it does you no good if it isn't in /bin/sh.  (popen explicitly
uses "/bin/sh").
-- 
|------------Dan Levy------------|  Path: ..!{akgua,homxb,ihnp4,ltuxa,mvuxa,
|         an Engihacker @        |  	<most AT&T machines>}!ttrdc!ttrda!levy
| AT&T Computer Systems Division |  Disclaimer?  Huh?  What disclaimer???
|--------Skokie, Illinois--------|