[3361] in bugtraq
Re: BUG in /bin/bash
daemon@ATHENA.MIT.EDU (Dan Thorson)
Mon Sep 16 23:08:34 1996
Date: Mon, 16 Sep 1996 22:52:12 -0400
Reply-To: Dan Thorson <Dan_Thorson@notes.seagate.com>
From: Dan Thorson <Dan_Thorson@notes.seagate.com>
X-To: Dan Stromberg <strombrg@hydra.acs.uci.edu>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
I've tried Solaris 2.5 (unpatched) with the same results. I'll report on 2.5
using recommended patches if I see anything different.
>Solaris 2.4
>Debian linux 1.1
>Irix 5.2
>OSF/1 3.2
>SunOS 4.1.1
>Ultrix 4.2
>Roger Espel Llima wrote:
>>
>> >> VULNERABILITY: A variable declaration error in "bash" allows the
character
>> >> with value 255 decimal to be used as a command separator.
>>
>> That reminds me of a similar "little-known feature" on SunOS and
>> Solaris, where /bin/sh interprets '^' as a synonym for '|' :
>>
>> $ sh -c 'echo blah ^ cat'
>> blah
>>
.> Again this could be exploited to fool CGI scripts (and ircII scripts
>> too) which execute shell commands with user-supplied data, after
>> checking for things like ';', '|' and '&'.
