lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu) Subject: SSH Exploit Request On Fri, 14 Nov 2003 22:21:30 PST, Jeremiah Cornelius said: > Solaris ('til v 7, at least) keeps a Bekeley-syntax shutdown in > /usr/ucb/bin/ Remember what I said about "what happens if you set your root login shell to be /usr/local/bin/glitzy-shell?". Well, I've got a nice story about Solaris and /usr/ucb. I'm one of the gang of inindicted co-conspirators who are to blame for the Center for Internet Security benchmarks. One of the things the Solaris benchmark includes is cut-and-paste code to implement each recommendation. So anyhow, we get feedback from one site, complaining that some of their configuration files now have literal backslash tee backslash tee backslash tee where there should be a sequence of 3 tabs. I finally tracked that one down to the fact that the Solaris shell 'echo' builtin actually *checks* $PATH to see if /usr/ucb is in it, and if so, if it's before or after /usr/bin, and then emulates a SysV or BSD echo. And the BSD echo doesn't handle escape sequences the same way..... Whoops. We got to go through and replace all the echo's with printf's. Yes, a bug in our code. However, one totally unexpected, even by any of the large number of Solaris experts, and it didn't crop up on the first several hundred or thousand boxes it was tested on.... And *that* sort of bug is the one that answers the question "How could patching XYZ *possibly* take down a server?"..... -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 226 bytes Desc: not available Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031115/e8be3589/attachment.bin
Powered by blists - more mailing lists