[3353] in bugtraq
Re: BUG in /bin/bash
daemon@ATHENA.MIT.EDU (Dan Stromberg)
Mon Sep 16 14:24:32 1996
Date: Sat, 14 Sep 1996 13:33:14 -0700
Reply-To: Dan Stromberg <strombrg@hydra.acs.uci.edu>
From: Dan Stromberg <strombrg@hydra.acs.uci.edu>
X-To: Roger Espel Llima <espel@clipper.ens.fr>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
This worked on all the unix variants I tried except debian linux, which
uses bash for sh instead of "the real sh". I no longer have a copy of
ash to try.
I tried:
Solaris 2.4
Debian linux 1.1
Irix 5.2
OSF/1 3.2
SunOS 4.1.1
Ultrix 4.2
Sure sounds like this interpretation of ^ comes from upstream...
Roger Espel Llima wrote:
>
> >> VULNERABILITY: A variable declaration error in "bash" allows the character
> >> with value 255 decimal to be used as a command separator.
>
> That reminds me of a similar "little-known feature" on SunOS and
> Solaris, where /bin/sh interprets '^' as a synonym for '|' :
>
> $ sh -c 'echo blah ^ cat'
> blah
>
> Again this could be exploited to fool CGI scripts (and ircII scripts
> too) which execute shell commands with user-supplied data, after
> checking for things like ';', '|' and '&'.
>
> -Roger
> --
> e-mail: roger.espel.llima@ens.fr
> WWW & PGP key: http://www.eleves.ens.fr:8080/home/espel/index.html
