See also the sudo bad environment variable list[1], which I recently found a 15 year old typo in.[2]<p>[1]: <a href="https://github.com/sudo-project/sudo/blob/master/plugins/sudoers/env.c#L138" rel="nofollow">https://github.com/sudo-project/sudo/blob/master/plugins/sud...</a>
[2]: <a href="https://www.sudo.ws/repos/sudo/rev/bdf9c9e7f455" rel="nofollow">https://www.sudo.ws/repos/sudo/rev/bdf9c9e7f455</a>
I did something like this once. My University had an full screen kiosk browser that was locked down. Well it turns out that you could "customize" Firefox, add in a missing button, get to the print screen and change the executable from "lpr" to $TERM which would immediately pop a shell.<p>Good times.
This was a huge component of a 2020 DEFCON CTF qualifier challenge that only Samurai and PPP solved, where you had to get code execution or arbitrary file read out of as many setuid binaries as possible, after installing basically every cli Debian package and changing them to setuid.<p>There are some very interesting ways to load shared objects or read files with environment variables, and we even found ways to leverage common libraries like readline and gconv to pop apps that used them.
>An unexpected exception to this is the antigravity module. The Python developers included an easter egg in 2008 which can be triggered by running import antigravity. This import will immediately open your browser to the xkcd comic that joked that import antigravity in Python would grant you the ability to fly.<p>> As for how the antigravity module opens your browser, it uses another module from the standard library called webbrowser. This module checks your PATH for a large variety of browsers, including mosaic, opera, skipstone, konqueror, chrome, chromium, firefox, links, elinks and lynx. It also accepts an environment variable BROWSER that lets you specify which process should be executed.<p>It was the possibility of security vulnerabilities that made software companies (more specifically Microsoft[0]) eschew easter eggs. Every feature, every line of code potentially increases your attack surface, especially if it interacts with other features.<p>0. <a href="https://docs.microsoft.com/en-us/archive/blogs/larryosterman/why-no-easter-eggs" rel="nofollow">https://docs.microsoft.com/en-us/archive/blogs/larryosterman...</a>
> A generic solution for Ruby has not been found yet. Ruby does accept an environment variable RUBYOPT to specify command-line options. The man page states that RUBYOPT can contain only -d, -E, -I, -K, -r, -T, -U, -v, -w, -W, --debug, --disable-FEATURE and --enable-FEATURE. The most promising option is -r which causes Ruby to load the library using require. However, this is limited to files with an extension of .rb or .so.<p>Interesting - could the -r option load a .so file with a .ctor section?
I understand this kind of techniques were common to attack unsafe CGI web servers in the old time.<p>I wonder whether it is still the case nowadays. Is CGI still being used?
Regarding Python scripts: All Python scripts runnable by more than one user should really have the “-I” option on the shebang line; this, among other things, ignores all PYTHON* environment variables. (Note: Python 3 only.)