remote command execution in 'tattle'

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: remote command execution in 'tattle'
From: "b0iler" <b0iler@xxxxxxxxxxxx>
Date: Tue, 7 Jun 2005 11:17:49 +0100 (BST)
Importance: Normal
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: team r00thell mail

Hello, a recent bugtraq posting by CISSP C.J. Steele contains a vulnerability 
which will leave
a box possibly open for remote command execution.  There are many ways to 
exploit this, but I
chose logging in through ftp with username like

sshd rhost 9 10 11 |rm${IFS}-rf${IFS}/|echo'1.1.1.1'

because of poor input validation and improper use of system calls in tattle 
this will execute
the rm -rf / and echo'1.1.1.1' commands.  I would assume that in many cases 
tattle would be
running as root.  The problem is in the getemails subroutine on the line my 
$whois =
`/usr/bin/whois $tld`;

Author not notified.  I believe he reads this list.
Suggested workaround.  Disable tattle until patch.

Prev by Date: FreeBSD Security Advisory FreeBSD-SA-05:12.bind9
Next by Date: xmysqladmin insecure temporary file creation
Previous by thread: FreeBSD Security Advisory FreeBSD-SA-05:12.bind9
Next by thread: xmysqladmin insecure temporary file creation
Index(es):
- Date
- Thread