From a high level, the Bourne script would essentially ssh into each target machine, do its thing, and then exit. As part of its “thing”, the designer of the framework wanted to make sure the script cleaned up after itself so subsequent runs of the framework would not re-process old data. To accomplish this, one of the enhancements after the initial release was to add two cryptic variables that redundantly contained the project name and the version being tested. Utilizing an unpatched flaw in sudos setup to gain real root access, the script would then do the following as part of the clean up:
rm -rf $var1/$var2
Ordinarily, this worked just fine, but the co-op student was unaware these SPECIFIC variables needed to be set. With them being left blank, the following was the end result upon execution of the script:
rm -rf /
With the script running as root on a setup with NFS which, in turn, granted access to everything on the entire UNIX/Linux network and a few Windows Servers via SAMBA, the script had a chance to do a good bit of damage… and it did. Home directories, file repositories, customer data, test results, all seemingly evaporated into nothingness.
My favorite shell commands