CVE-1999-1540

Vulnerability

Cactus Software's shell-lock version 2.1.1.1 uses a trivial encoding mechanism to obfuscate shell code stored in a "compiled" binary [1]. The obfuscation is easily reversible, and the source shell script can be recovered by anyone with read access to the file. Additionally, the binary itself may contain the un-encoded script accessible through standard file inspection tools [1].

Exploitation

An attacker with local read access to a shell-locked binary can retrieve the original shell script. This requires no authentication beyond being able to read the file. For setuid root binaries produced by shell-lock, any local user can execute arbitrary commands as root by placing a malicious executable in the path that matches a command invoked by the script [1]. The underlying issue is that shell-lock does not secure the shell code; it only trivially encodes it.

Impact

Successful exploitation leads to full disclosure of the hidden shell source code, compromising any secrets or logic it contains. If the binary is setuid root, the attacker gains arbitrary command execution with root privileges, completely compromising the system [1].

Mitigation

As of the advisory date (October 4, 1999), the vendor had been notified but no patch had been released [1]. Users are advised to not use shell-lock for setuid binaries and to treat any shell-locked binary as if the original script were world-readable. No further updates or CVE records exist indicating a fixed version.