April 19th, 2003, 03:52 AM
Old IFS exploit ??
Can somebody explain the old IFS exploit? Setting the IFS to '/' instead of a ' ' to run another program with escalated priveleges...? something like that... its been around, but can't seem to find any webpages that really explain how its used...
April 19th, 2003, 06:47 AM
Its not software piracy. Iím just making multiple off site backups.
April 19th, 2003, 07:46 AM
The IFS exploits basiclly goes like this....
If the program is setuid ( rwsr-xr-x ) and in a couple of cases even if it is not, and it uses the C function call system() you may be able to fool it by changing your $IFS environmental variable ( IFS is Internal Field Separator ) which changes how the shell delimits directories.
For example, a program that calls system( "/bin/mount" ); with a modified IFS may be interpreted as bin mount instead of the intended /bin/mount. In this case whatever the first bin the shell comes across as it searches your path will be executed.
If you have a program in your path named bin ( works best if in your current working directory and that directory comes first in your path ) the setuid program will execute that first. Now suppose that bin is acutally some kind of exploit with the name bin that must be run by uid 0 (a.k.a. root ).
Setting the IFS variable is done like so....
$ export IFS='/' # for the bash and ksh shells
% setenv IFS='/' # for csh and tcsh
Hope that helps a little, and that your interest is benign
Get OpenSolaris http://www.opensolaris.org/
April 20th, 2003, 12:06 AM
Thanks, both of you!