Can somebody explain the old IFS exploit? Setting the IFS to '/' instead of a ' ' to run another program with escalated priveleges...? something like that... its been around, but can't seem to find any webpages that really explain how its used...
Printable View
Can somebody explain the old IFS exploit? Setting the IFS to '/' instead of a ' ' to run another program with escalated priveleges...? something like that... its been around, but can't seem to find any webpages that really explain how its used...
Google turned up this link
http://www.securityfocus.com/bid/454/exploit/
The IFS exploits basiclly goes like this....
If the program is setuid ( rwsr-xr-x ) and in a couple of cases even if it is not, and it uses the C function call system() you may be able to fool it by changing your $IFS environmental variable ( IFS is Internal Field Separator ) which changes how the shell delimits directories.
For example, a program that calls system( "/bin/mount" ); with a modified IFS may be interpreted as bin mount instead of the intended /bin/mount. In this case whatever the first bin the shell comes across as it searches your path will be executed.
If you have a program in your path named bin ( works best if in your current working directory and that directory comes first in your path ) the setuid program will execute that first. Now suppose that bin is acutally some kind of exploit with the name bin that must be run by uid 0 (a.k.a. root ).
Setting the IFS variable is done like so....
$ export IFS='/' # for the bash and ksh shells
% setenv IFS='/' # for csh and tcsh
Hope that helps a little, and that your interest is benign :)
Thanks, both of you!
slick_shoes