oss-sec mailing list archives
Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME
From: Chet Ramey <chet.ramey () case edu>
Date: Fri, 16 Sep 2016 15:46:51 -0400
On 9/16/16 12:16 PM, John Haxby wrote:
Hello All, A little while ago, one of our users discovered that by setting the hostname to $(something unpleasant), bash would run "something unpleasant" when it expanded \h in the prompt string.
I finally got this message, three hours later. I assume you're using $HOSTNAME as a shorthand; bash only uses the return value from gethostname(). It's unlikely that something like this could be accomplished without existing privilege. If you have a fake DHCP server on your network, for instance, you have massive problems aside from this issue. If someone sets the hostname on the local machine, he already has privilege.
I believe the fix in parse.y is this (Chet, please correct me if I'm wrong):
Yes, that is the current fix for this. There are other ways to do it. This issue has been public since October, 2015, in Ubuntu's bash bug database. https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025 -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRU chet () case edu http://cnswww.cns.cwru.edu/~chet/
Current thread:
- CVE-2016-0634 -- bash prompt expanding $HOSTNAME John Haxby (Sep 16)
- Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME Jan Schaumann (Sep 16)
- Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME Chet Ramey (Sep 16)
- Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME John Haxby (Sep 18)
- Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME Seth Arnold (Sep 19)
- Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME John Haxby (Sep 20)
- Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME Chet Ramey (Sep 16)
- Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME Jan Schaumann (Sep 16)
- Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME Chet Ramey (Sep 16)
- Re: Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME Leo Famulari (Sep 27)
- Re: Re: CVE-2016-0634 -- bash prompt expanding $HOSTNAME Chet Ramey (Sep 29)