[1059] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] bash security hole

daemon@ATHENA.MIT.EDU (Runar Jensen)
Sat Aug 24 19:16:55 1996

From: Runar Jensen <zarq@1stnet.com>
To: linux-security@tarsier.cv.nrao.edu
Date: Thu, 22 Aug 1996 21:55:15 -0500

Someone mentioned that they were not able to reproduce the recent bash bug.
I tried the example mentioned in the alert with no luck, seemingly because
bash does not expand the '\377' construct. I then got a little creative and
tried the following:

bash -c '`echo -e "ls\377who"`'

This appeared to expand right, but would still only execute the 'ls'. For a
moment I happily assumed that I wasn't vulnerable, but examining the source
showed that I *should* be, according to the alert.

It struck me that using bash to reproduce a bash bug may not be a very good
idea... Sure enough, a simple system() call will work as expected:

#include <stdlib.h>

main() {
   system("ls\377who")
}

...and yes, the patch fixes this. :)


.../ru

---
Runar Jensen
System Administrator
FirstNet of Acadiana

home help back first fref pref prev next nref lref last post