[1078] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] bash security hole

daemon@ATHENA.MIT.EDU (Jonathan Larmour)
Mon Aug 26 07:27:15 1996

Date: Sun, 25 Aug 1996 22:46:48 +0100
To: Runar Jensen <zarq@1stnet.com>, linux-security@tarsier.cv.nrao.edu
From: Jonathan Larmour <JLarmour@origin-at.co.uk>

At 21:55 22/08/96 -0500, Runar Jensen wrote:
>Someone mentioned that they were not able to reproduce the recent bash bug.
>I tried the example mentioned in the alert with no luck, seemingly because
>bash does not expand the '\377' construct. I then got a little creative and
>tried the following:
>
>bash -c '`echo -e "ls\377who"`'
>
>This appeared to expand right, but would still only execute the 'ls'. For a
[snip]

Just to clarify this, the way I found that I _was_ vulnerable, was with
this. NB copy the quoting exactly:

bash -c "`/bin/echo 'ls -al\377who'`"

However, note that the bit after the \377 is run the _next_ time you run the
command, so you need to run it _twice_. Hopefully this will help people who
incorrectly believe they are not vulnerable.

Jonathan L.
Origin UK, 323 Cambridge Science Park, Cambridge, England. CB4 4WG.
Tel: +44 (1223) 423355    Fax: +44 (1223) 420724   E-mail: guess...
-------[ Do not think that every sad-eyed woman has loved and lost... ]------
-----------------------[ she may have got him. -Anon ]-----------------------
These opinions are all my own fault.

home help back first fref pref prev next nref lref last post