Bugtraq: Re: BUG in /bin/bash

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: BUG in /bin/bash

From: Dan_Thorson () notes seagate com (Dan Thorson)
Date: Mon, 16 Sep 1996 22:52:12 -0400


I've tried Solaris 2.5 (unpatched) with the same results.  I'll report on 2.5
using recommended patches if I see anything different.

Solaris 2.4
Debian linux 1.1
Irix 5.2
OSF/1 3.2
SunOS 4.1.1
Ultrix 4.2

Roger Espel Llima wrote:

VULNERABILITY:  A variable declaration error in "bash" allows the

character

                with value 255 decimal to be used as a command separator.


  That reminds me of a similar "little-known feature" on SunOS and
Solaris, where /bin/sh interprets '^' as a synonym for '|' :

$ sh -c 'echo blah ^ cat'
blah

.>   Again this could be exploited to fool CGI scripts (and ircII scripts

too) which execute shell commands with user-supplied data, after
checking for things like ';', '|' and '&'.

By Date By Thread

Current thread:

Re: BUG in /bin/bash, (continued)
- Re: BUG in /bin/bash Eugene Bradley (Sep 13)
- Re: BUG in /bin/bash Dan Stromberg (Sep 14)
  - Re: BUG in /bin/bash Alan Cox (Sep 17)
  - CERT Vendor-Initiated Bulletin VB-96.16 - Transarc Corp. CERT Bulletin (Sep 17)
- Re: BUG in /bin/bash Dan Thorson (Sep 16)
  - Re: sh and ^ bitblt () cybercom net (Sep 17)