Results 1 to 4 of 4

Thread: Old IFS exploit ??

  1. #1
    Junior Member
    Join Date
    Aug 2002

    Old IFS exploit ??

    Can somebody explain the old IFS exploit? Setting the IFS to '/' instead of a ' ' to run another program with escalated priveleges...? something like that... its been around, but can't seem to find any webpages that really explain how its used...

  2. #2
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002
    Its not software piracy. Iím just making multiple off site backups.

  3. #3
    Senior Member
    Join Date
    Mar 2003
    The IFS exploits basiclly goes like this....

    If the program is setuid ( rwsr-xr-x ) and in a couple of cases even if it is not, and it uses the C function call system() you may be able to fool it by changing your $IFS environmental variable ( IFS is Internal Field Separator ) which changes how the shell delimits directories.

    For example, a program that calls system( "/bin/mount" ); with a modified IFS may be interpreted as bin mount instead of the intended /bin/mount. In this case whatever the first bin the shell comes across as it searches your path will be executed.

    If you have a program in your path named bin ( works best if in your current working directory and that directory comes first in your path ) the setuid program will execute that first. Now suppose that bin is acutally some kind of exploit with the name bin that must be run by uid 0 (a.k.a. root ).

    Setting the IFS variable is done like so....

    $ export IFS='/' # for the bash and ksh shells
    % setenv IFS='/' # for csh and tcsh

    Hope that helps a little, and that your interest is benign
    Get OpenSolaris http://www.opensolaris.org/

  4. #4
    Junior Member
    Join Date
    Aug 2002
    Thanks, both of you!


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts