OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: sperl 5.00503 (and newer ;) exploit
From: Olaf Kirch (okirCALDERA.DE)
Date: Mon Aug 07 2000 - 05:35:36 CDT

On Sat, Aug 05, 2000 at 07:19:36PM +0200, Michal Zalewski wrote:
> c) /bin/mail has undocumented feature; if interactive=something, it will
> interpret ~! sequence even if not running on the terminal;

Well, some "unfortunate" features come back again and again. I recall
INN's control scripts used to have a similar problem, three years ago.

I'm sort of torn between whether to blame sperl for using mail rather
than syslog, or for doing so without cleaning up the environment.
Apart from the ~! expansion problem, there seems to be at least
another one lurking which is that it'll try to load ~/.mailrc, and
~ is replaced with the value of $HOME.

Any setuid root program that does an exec() somewhere is just a less
user friendly version of su. I have a wonderful proof of this claim,
but unfortunately the margin is too small to hold it :-)

Olaf 

--
Olaf Kirch         |  --- o --- Nous sommes du soleil we love when we play
okirmonad.swb.de  |    / | \   sol.dhoop.naytheet.ah kin.ir.samse.qurax
okircaldera.de    +-------------------- Why Not?! -----------------------
         UNIX, n.: Spanish manufacturer of fire extinguishers.