On 11/29/06, Stefan Fritsch <[EMAIL PROTECTED]> wrote:
I didn't have time yet to look at it thoroughly (or test it), but
AFAICS you now check the file for existance before passing it to the
shell. This should convert the remote command execution vuln into a
local priviledge escalation. A local user can do
touch '/tmp/`touch /tmp/hello`'
I think I understand how this is supposed to work, but I can't execute
this to create a file containing the ticks in it. Is this supposed to
work?
hostname:~$ touch '/tmp/`touch /tmp/hello`'
touch: cannot touch `/tmp/`touch /tmp/hello`': No such file or directory
hostname:~$ ls /tmp
flashgot.lfb3lmyf.default/ .ICE-unix/ ksocket-camrdale/ .X0-lock
gpg-ovJV8Y/ kde-camrdale/ ssh-PRXIyZ3903/ .X11-unix/
I tried lots of variations on escaping the quotes, but nothing would
cause this to create a file with ticks in it. What am I doing wrong?
Cameron
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
