lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <200311151544.hAFFioLa024431@turing-police.cc.vt.edu>
From: Valdis.Kletnieks at vt.edu (Valdis.Kletnieks@...edu)
Subject: SSH Exploit Request 

On Fri, 14 Nov 2003 22:21:30 PST, Jeremiah Cornelius said:

> Solaris ('til v 7, at least) keeps a Bekeley-syntax shutdown in 
> /usr/ucb/bin/

Remember what I said about "what happens if you set your root login shell to be
/usr/local/bin/glitzy-shell?".  Well, I've got a nice story about Solaris and 
/usr/ucb.

I'm one of the gang of inindicted co-conspirators who are to blame for the
Center for Internet Security benchmarks.  One of the things the Solaris
benchmark includes is cut-and-paste code to implement each recommendation.  So
anyhow, we get feedback from one site, complaining that some of their
configuration files now have literal backslash tee backslash tee backslash tee
where there should be a sequence of 3 tabs.

I finally tracked that one down to the fact that the Solaris shell 'echo'
builtin actually *checks* $PATH to see if /usr/ucb is in it, and if so, if it's
before or after /usr/bin, and then emulates a SysV or BSD echo.  And the BSD
echo doesn't handle escape sequences the same way.....  Whoops. We got to go
through and replace all the echo's with printf's.

Yes, a bug in our code.  However, one totally unexpected, even by any of the
large number of Solaris experts, and it didn't crop up on the first several
hundred or thousand boxes it was tested on....

And *that* sort of bug is the one that answers the question "How could patching
XYZ *possibly* take down a server?".....
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031115/e8be3589/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ