[1082] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

Re: [linux-security] bash security hole

daemon@ATHENA.MIT.EDU (Zoltan Hidvegi)
Mon Aug 26 07:31:40 1996

From: Zoltan Hidvegi <hzoli@cs.elte.hu>
To: zarq@1stnet.com (Runar Jensen)
Date: Mon, 26 Aug 1996 00:53:22 +0200 (MET DST)
Cc: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <199608230255.VAA06108-RESENT@donner.1stnet.com> from Runar Jensen at "Aug 22, 96 09:55:15 pm"

> Someone mentioned that they were not able to reproduce the recent bash bug.
> I tried the example mentioned in the alert with no luck, seemingly because
> bash does not expand the '\377' construct. I then got a little creative and
> tried the following:
> 
> bash -c '`echo -e "ls\377who"`'
> 
> This appeared to expand right, but would still only execute the 'ls'. For a
> moment I happily assumed that I wasn't vulnerable, but examining the source
> showed that I *should* be, according to the alert.

That test did not work because no expansion is performed on signle quoted
text.  Try bash -c "$(echo -e echo\\377who)".  For some reason this worked
only the second time I used it.  When I do it from zsh using
bash -c "$(echo echo\\0377who)" it always shows the bug.  A sutable
workaround is to get zsh-3.0.0 and link /bin/sh to zsh.  Pdksh is an other
alternative but it is less convinient for interactive use.

Zoltan

home help back first fref pref prev next nref lref last post