[10312] in bugtraq
Re: Bash Bug
daemon@ATHENA.MIT.EDU (Henrik Nordstrom)
Thu Apr 22 13:27:26 1999
Date: Thu, 22 Apr 1999 13:10:52 +0200
Reply-To: hno@HEM.PASSAGEN.SE
From: Henrik Nordstrom <hno@HEM.PASSAGEN.SE>
X-To: Shadow <shadow@OPERATOR.ORG>
To: BUGTRAQ@NETSPACE.ORG
This is a multi-part message in MIME format.
--------------66607E916DEA1D8D622D5F08
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Shadow wrote:
> mkdir "\ `echo -e \ "echo + +> ~\57.rhosts\ " > x; source x; rm -f \x\ ` "
>
> and someone cd's into said directory, either by accident, or whatever,
> then it will cause it to actually execute.
It is a vulnerability of the prompt parsing, or more specifically the \w
or \W prompt escapes for showing the current directory. These get parsed
before backquote parsing of the prompt string.
Workaround: Make sure the variable PS1 is set to something not including
the above escapes when cd'ing into directories with backquotes or $ as
part of their name.
Patch for bash-1.14.7 attached.
bug-bash@prep.ai.mit.edu has been notified.
--
Henrik Nordstrom
--------------66607E916DEA1D8D622D5F08
Content-Type: text/plain; charset=us-ascii; name="bash_prompt.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline; filename="bash_prompt.diff"
--- parse.y.orig Thu Apr 22 11:53:01 1999
+++ parse.y Thu Apr 22 12:56:34 1999
@@ -2729,6 +2729,17 @@
#else
getwd (t_string);
#endif /* EFFICIENT */
+ if (strcspn(t_string, slashify_in_quotes) < strlen(t_string)) {
+ char t_string2[MAXPATHLEN];
+ int i, j;
+ for (i = 0, j = 0 ; t_string[i] && j < MAXPATHLEN - 2 ; i++) {
+ if (member(t_string[i], slashify_in_quotes))
+ t_string2[j++] = '\\';
+ t_string2[j++] = t_string[i];
+ }
+ t_string2[j] = '\0';
+ strcpy(t_string, t_string2);
+ }
if (c == 'W')
{
--------------66607E916DEA1D8D622D5F08--
