1. Change IFS.

If the shell script calls any other programs using the system()

function call, you may be able to fool it by changing IFS. IFS is the

Internal Field Seperator that the shell uses to delimit arguments.

If the program contains a line that looks like this:

system("/bin/date")

and you change IFS to '/' the shell will them interpret the

proceeding line as:

bin date

Now, if you have a program of your own in the path called "bin" the

suid program will run your program instead of /bin/date.

To change IFS, use this command:

set IFS '/'

2. link the script to -i

Create a symbolic link named "-i" to the program. Running "-i"

will cause the interpreter shell (/bin/sh) to start up in interactive

mode. This only works on suid shell scripts.

Example:

% ln suid.sh -i

% -i

#

3. Exploit a race condition

Replace a symbolic link to the program with another program while the

kernel is loading /bin/sh.

Example:

nice -19 suidprog ; ln -s evilprog suidroot

4. Send bad input the the program.

Invoke the name of the program and a seperate command on the same

command line.

Example:

suidprog ; id