Full Disclosure mailing list archives
Re: Possibility to exploit bash "*" processing
From: GloW - XD <doomxd () gmail com>
Date: Wed, 21 Sep 2011 08:53:04 +1000
Probably because anybody who's used the various Bourne-style shells for a while considers it a feature, not a bug This seems to be true. I was able to write a file to root, using a simple cat > cmd similar, in BSD4.11,but when reporting it, Colin Percival seemed to think it more amusing... they did although patch it being able to write root, as i was able to write over the passwd file and add myself to it :P this was a bug, but not a big one according to the lists at the time, although when you can overwrite root, they might ask you to send them a private post to bugs@kernel ;P lol. have fun... thats not much tho... write a file now to another dir, then its a bug.... and cat maybe could still, it was only ever patched on bsd... problem was in gentoo tho also ;) later and, hope you have fun working with the secteams if you do find a deeper bug ;p look on BSD mailing lists for a cat bug...it is few years ago now but it is there.. i still have the links somewhere but dont have time to search, just lookup the bsd security lists if you need more infos about it or, i could send you the posts from colin when i am in the office and have more time. cheers xd oops, sorry i cc'd valdis, sorry this was aimed at author more,... dont have time to correct things i gotta run On 21 September 2011 04:31, <Valdis.Kletnieks () vt edu> wrote:
On Tue, 20 Sep 2011 13:29:11 +0300, Kirils Solovjovs said:Brought this up a year ago. Seems that no attention has been given to this so far.Probably because anybody who's used the various Bourne-style shells for a while considers it a feature, not a bug. This is a case where the Principle of Least Surprise comes up with different answers for novice users and for experts: "What? A * can expand into an unintended command argument?" "Yeah, what *else* would it do - the shell is just globbing, it doesn't know for sure what the command will do with the parameter". Multics had an alternate solution for this issue - when you issued a command, it would get invoked right then and there and take over terminal input and allow guided completions knowing what the command syntax was (think "love child of getopt and readline" ;) Of course, this doesn't play well with pipes, especially if the pipe further down the line has a redirection that fails.One solution would be to modify "*" processing so that it ignores filenames that start "-" similarly as it ignores filenames that start with "."'No, you don't want to do that. You want to provide an *optional* flag, similar to the shopt settings for 'dotglob', 'extglob', 'failglob', 'globstar', 'nocaseglob', and 'nullglob'. Having said that, a 'shopt dashglob' shouldn't be too hard to implement, as you can do 98% of it based on the already-existing 'dotglob' code, and that's probably the way to address the issue. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Possibility to exploit bash "*" processing Kirils Solovjovs (Sep 20)
- Re: Possibility to exploit bash "*" processing Valdis . Kletnieks (Sep 20)
- Re: Possibility to exploit bash "*" processing GloW - XD (Sep 20)
- Re: Possibility to exploit bash "*" processing Cédric Jeanneret (Sep 21)
- Re: Possibility to exploit bash "*" processing Jacqui Caren (Sep 21)
- Re: Possibility to exploit bash "*" processing Dan Carpenter (Sep 21)
- Re: Possibility to exploit bash "*" processing Valdis . Kletnieks (Sep 21)
- Re: Possibility to exploit bash "*" processing Andrew Farmer (Sep 21)
- Re: Possibility to exploit bash "*" processing Valdis . Kletnieks (Sep 21)
- Re: Possibility to exploit bash "*" processing Valdis . Kletnieks (Sep 21)
- Re: Possibility to exploit bash "*" processing Valdis . Kletnieks (Sep 20)