insecurity with the IFS variable

insecurity with the IFS variable

Post by Loi » Tue, 16 Jan 2001 03:33:42



I would like to know the problems related to the IFS variable.
Ok, I want to abuse it. I am in a wargame. There is a tool that
has user rights which are superior to me. They give me a hint.
I should use this prog which runs the unix command date.
Now I simply need to tell that program to execute a command
named pass, to get the password for the next level.The users of
the level above told me it has something to do with the IFS variable.
I would appreciate any help.

--

 
 
 

insecurity with the IFS variable

Post by J?rgen Perss » Tue, 16 Jan 2001 04:41:20



>I would like to know the problems related to the IFS variable.

[snip]

I never heard of the problem myself until I read about it in a paper
recently:

Enhancing Security of Unix Systems
Danny Smith
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Qld.  4072.

http://www.vtcif.telstra.com.au/pub/docs/security/sert-doc/unix-secur...

<quote>
IFS
One particular type of attack involves the IFS shell variable
(Input Field Separator). This variable is used to indicate what
characters separate input words to the shell. Whilst its functionality
has been largely superseded, it lives on to cause unexpected results.
For example, if a program calls the system() or popen() functions to
execute a command, then that command is parsed by the shell first. If
the user has control over the IFS environment variable, this may cause
unexpected results. A typical scenario might be if the program executes
the following code:

system( "/bin/ls -l ");

If the IFS variable has been set to contain the "/" character and
a malicious program called "bin" is placed in the path of the user
executing the program, then that program will be executed as the shell
will have parsed the line as:

bin ls -l

which executes the program bin (in the current path) passing two
arguments ls and -l. It is for this reason that a program should not
get the shell to parse command lines by using the system(), popen(),
execlp(), or execvp() commands to run some other program.

</quote>

J?rgen

 
 
 

insecurity with the IFS variable

Post by Dan Merc » Wed, 17 Jan 2001 02:00:21





>>I would like to know the problems related to the IFS variable.
> [snip]

> I never heard of the problem myself until I read about it in a paper
> recently:

> Enhancing Security of Unix Systems
> Danny Smith
> Australian Computer Emergency Response Team
> c/- Prentice Centre
> The University of Queensland
> Qld.  4072.

> http://www.vtcif.telstra.com.au/pub/docs/security/sert-doc/unix-secur...

> <quote>
> IFS
> One particular type of attack involves the IFS shell variable
> (Input Field Separator). This variable is used to indicate what
> characters separate input words to the shell. Whilst its functionality
> has been largely superseded, it lives on to cause unexpected results.

IFS mangling is one of the fundamental techniques in advanced
(particularly ksh) scripting.  As for the vulnerability mentioned,
it existed for true Bourne shells only.  The true Bourne shell has
been superseded by posix shells that do not have that vulnerability.
System on HP's has used the posix shell since 9.x (the current
version is 11.11).  

I don't think this has ever been a problem on Linux.

--
Dan Mercer

- Show quoted text -

Quote:> For example, if a program calls the system() or popen() functions to
> execute a command, then that command is parsed by the shell first. If
> the user has control over the IFS environment variable, this may cause
> unexpected results. A typical scenario might be if the program executes
> the following code:

> system( "/bin/ls -l ");

> If the IFS variable has been set to contain the "/" character and
> a malicious program called "bin" is placed in the path of the user
> executing the program, then that program will be executed as the shell
> will have parsed the line as:

> bin ls -l

> which executes the program bin (in the current path) passing two
> arguments ls and -l. It is for this reason that a program should not
> get the shell to parse command lines by using the system(), popen(),
> execlp(), or execvp() commands to run some other program.

> </quote>

> J?rgen

Opinions expressed herein are my own and may not represent those of my employer.
 
 
 

1. IFS variable ??

Gday. I think it stands for 'Internal Field Seperater'. Basically, it is
the / in file paths. There are ways to exploit a system using this.

This is in the FAQ, where there is a quite detailed explanation.

--
                          "I told you, I'm a demon"
                         Squidge - member *the Guild

2. nohup does not work with 'make' on SuSE 7.1

3. IFS shell variable & /usr/include/sysexits.h EXITCODE 75

4. Install Time??? Why so long?

5. IFS environment variable

6. Q: about CD-ROM

7. Setting of the IFS variable in BASH to omit splitting at tabs and spaces

8. linux setup.

9. Losing variables after IFS

10. Correct Syntax for configuring IFS shell variable ?

11. Setting variables in a variable array of null variables

12. OT: More Microsoft insecurity

13. POP3 insecurity