OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 3rd quarter (Jul-Sep) 1997: Re: procmail

Re: procmail

Casper Dik (casperHOLLAND.SUN.COM)
Tue, 22 Jul 1997 09:11:11 +0200

>On Mon, 21 Jul 1997 16:50:56 +0200, Casper Dik wrote:
>> Shells will not honor meta characters inside variables.
>>
>> The shell will first parse (the phase in which meta chacretsr and keywords
>> are detected) and only then will it do variabel substitution.
>>
>> Then it'll split stuff in words and only then wildcard expansion is done.
>
>There's some weird effect with tcsh (I don't know if that's standard csh
>behavior). When your shell script does a `set foo=$1' and the first
>argument is "xx PATH=~ftp/incoming:/usr/bin:/bin" it will do two
>simultaenous variable assignments, and thus overwrite the PATH variable
>with the string the attacker specified.
>
>Not sure if that qualifies as metacharacter expansion, but it's definitely
>scary:-) Metamail had this problem, fwiw.


Most likely because Csh/Tcsh variabel assignments are treated different
from sh assignment (which are part of the syntax; in csh/tcsh they're
part of the command language)

in Csh/tcsh you must quote the assignment.

The worst thing csh/tcsh do, however, is an "eval" on the variable that
are imported to local variables (HOME->hoem, TERM-> term PATH->path, etc)

So any set-uid/set-gid C-shell script or a C-shell script "captive" login;
they're all easily broken.

This is fixed in later tcsh revisions.

There are simply too many weird things in tcsh/csh to use them as a scripting
language for scritps otehr than .login/.cshrc etc.

Casper