Randy McMurchy wrote: > I'm not against fixing this. I just felt it to be unnecessary. > How can this be exploited?
[Wild guess follows, completely untested] User A builds TCL as follows: # assuming that /tmp/tcl-build doesn't initially exist # 1) create it with some secure permissions # so that nobody else can modify stuff in it # during TCL build. Normally this would be secure. mkdir -m700 /tmp/tcl-build # 2) go there cd /tmp/tcl-build # 3) unpack sources tar xf /sources/tcl8.4.15-src.tar.gz cd tcl8.4.15 # 4) do what the book says Then tclConfig.sh will contain the "/tmp/tcl-build" string in it Then user A shuts down the machine. After a reboot, /tmp/tcl-build is gone. On the next day, user B notices that tclConfig.sh contains this string, and places his own (modified) headers there. The modification is, say, that some frequently-called function is defined as a macro or "static inline" instead, and, in addition to doing its usual work, modifies /etc/passwd if uid==0. User A then attempts to build, say, graphviz-2.8 (package found by searching google for "tcl_src_dir -tclConfig.sh"), using the same procedure, in /tmp/graphviz-build. The build picks up the trojaned header, because Makefile.am contains "AM_CPPFLAGS = ... [EMAIL PROTECTED]@/generic ...". The end result is: when unsuspecting user A does a "su -" and then runs some script that uses graphviz via its TCL binding, the /etc/passwd entry of user B gets modified, giving him root. Or consider another variant: You, as user randy, build (in your home directory, /home/randy) a binary package of tcl for me, with this bug. I install it on my machine without inspection. Another (evil) Randy that has ssh access to my machine notices the bug, creates (as he has the right to do so) the needed directories in his home directory (/home/randy), and places a trojaned header there. I build and install graphviz, it gets the trojaned code. Then I run (as root) an application that uses graphviz via its TCL binding, and the trojan code gets executed. Without the bug, graphviz build process wouldn't even look in the build directory, and there is no chance for the evil Randy to plant a trojan. -- Alexander E. Patrakov -- http://linuxfromscratch.org/mailman/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
