|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: sperl 5.00503 (and newer ;) exploit
From: Pixel (pixel
MANDRAKESOFT.COM)Date: Mon Aug 07 2000 - 09:13:19 CDT
- Next message: Luca Berra: "mc developers don't use tcsh"
- Previous message: Chris Foster: "Escalation of privileges"
- Next in thread: Paul Szabo: "Re: sperl 5.00503 (and newer ;) exploit"
- Maybe reply: Pixel: "Re: sperl 5.00503 (and newer ;) exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Michal Zalewski <lcamtufDIONE.IDS.PL> writes:
[...]
> c) /bin/mail has undocumented feature; if interactive=something, it will
> interpret ~! sequence even if not running on the terminal; it is not
here is a patch for mailx that will disable this feature, and so make sperl
`safe'
--------------------------------------------------------------------------------
--- mailx-8.1.1/collect.c~ Mon Aug 7 15:17:13 2000
+++ mailx-8.1.1/collect.c Mon Aug 7 15:55:48 2000
-226,8 +226,13
* Shell escape, send the balance of the
* line to sh -c.
*/
- shell(&linebuf[2]);
- break;
+ /*
+ * HACK: only accept shell commands if "interactive" is set,
+ * and not set via environment variables (otherwise, nice
+ * stuff for security exploits!)
+ */
+ if (lookup("interactive")) shell(&linebuf[2]);
+ break;
case ':':
case '_':
/*
--------------------------------------------------------------------------------
cu Pixel.
PS: be carefull if you want to patch perl to remove any `~!' in the filename, the
escape character can be changed in mailx...
- Next message: Luca Berra: "mc developers don't use tcsh"
- Previous message: Chris Foster: "Escalation of privileges"
- Next in thread: Paul Szabo: "Re: sperl 5.00503 (and newer ;) exploit"
- Maybe reply: Pixel: "Re: sperl 5.00503 (and newer ;) exploit"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]