Re: Directory name problem...

Michael H. Warfield (mhw@wittsend.com)
Sun, 25 Oct 1998 14:38:19 -0500 (EST)


Mark Jefferys enscribed thusly:
> On Sun, Oct 25, 1998 at 05:00:25PM +0000, Riley Williams wrote:

> % Already tried, and he's not interested, but I did find out what script
> % he's using...
> %
> % Q> #!/bin/sh
> % Q> XYZZY="`find / -name core`"
> % Q> for LOOP in `find $XYZZY | sort -ru` ; do
> % Q> rm -fr $LOOP
> % Q> done

You have GOT to be kidding me!?!?!

> <sigh>

> mkdir -p "evil /how/did/this/get/deleted/I/needed/that /core"

Oh beautiful! How about this instead... If you know the name
of the script (say /usr/local/stupid_BOFH_admin/rmcore) then use this
instead:

mkdir -p "BOFH /usr/local/stupid_BOFH_admin/rmcore /core"

Or how about this:

mkdir -p '"BOFH | chmod 666 /etc/passwd" /core'

Or...

mkdir -p '"BOFH ; chmod 666 /etc/passwd" /core'

Watch precise quoting carefully. That make take a little fine
tuning but you get the point...

Salt suitably to annoy said Admin and teach error of ways...

Slip appropriate shell meta characters in there and you can execute
ANYTHING! As root!

You could even create a few scripts named core and preceed them
with appropriate shell meta characters in their lead up path and get the
blinken thing to run you scripts as root every time he runs that script.
Through in a few symlinks into the mix and the possiblities for mayhem
are incredible.

Man... If I really get warmed up, I could dredge up a few goodies
from bugtraq. With that one simple script he has managed to compromise
the security of the entire system!

Hmmm... Thinking of BOFH. This would be a good spot to turn the
tables and try out some of the more creative BOFH ideas...

> I find this to be truly sad.

I find this criminally dangerous. If he gets informed that this
script introduces a major serious security flaw in his system he is negligent.
If you fail to inform him of it, you may be. Got any whistle blower
protection? Warn his boss and then demonstrate that he's a moron.

> % Apparently, the version I use (and show above) is "too simple to do
> % the job"...and the version he uses was written for him by his son,
> % who's doing Comp Sci on Solaris as school - aged 14 !!!

I know some 14 year olds who would hang their heads in shame at that
script.

> <double sigh>

> And you can't even tell him why this script is so bad (and inefficient)
> without insulting his progeny...

That script has already insulted his progeny.

> Does this sysadmin want to delete all dirs named "core", or is he just
> worried that the simple version will miss some of the files? In the
> latter case you might be able to convince him that his son thought he
> wanted to solve the latter problem, and that while the good script is
> "too simple" for the latter case, it's perfect for the former.

> Mark

> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.rutgers.edu
> Please read the FAQ at http://www.tux.org/lkml/

Mike

-- 
 Michael H. Warfield    |  (770) 985-6132   |  mhw@WittsEnd.com
  (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
  NIC whois:  MHW9      |  An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/