The Operator Shell (osh) main.c will allow execution of code

osh-main-execute-code (23091) The risk level is classified as HighHigh Risk

Description:

Operator Shell (osh) could allow a local attacker to gain privileges. A local attacker could inject specially-crafted environment variables in main.c causing osh to load malicious shared libraries and allow execution of arbitrary code with root privileges.


Consequences:

Gain Privileges

Remedy:

Upgrade to the latest version of osh (1.7-15 or later) available from the osh Web site. See References.

For Debian GNU/Linux:
Refer to DSA-918-1 for patch, upgrade, or suggested workaround information. See References.

References:

  • Debian Bug report logs - #338312 - Original Advisory: osh: Environment Variable Input Validation Bug.
  • Osh Web site: osh - What is osh.
  • BID-15370: Mike Neuman OSH Environment Variable Buffer Overflow Vulnerability
  • CVE-2005-3346: Buffer overflow in the environment variable substitution code in main.c in OSH 1.7-14 allows local users to inject arbitrary environment variables, such as LD_PRELOAD, via pathname arguments of the form $VAR/EVAR=arg, which cause the EVAR portion to be appended to a buffer returned by a getenv function call.
  • DSA-918: osh -- programming error
  • OSVDB ID: 20720: Operator Shell (osh) main.c Environment Variable Substitution Local Privilege Escalation
  • SA17527: osh Environment Variable Substitution Vulnerability
  • VUPEN/ADV-2005-2378: Operator Shell (osh) Environment Variable Substitution Vulnerability

Platforms Affected:

  • Debian Debian Linux 3.0
  • Debian Debian Linux 3.1
  • Gunnar Ritter osh 1.7-14

Reported:

Nov 10, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page