bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Vulnerability in prompt expansion of directories.


From: Serge van den Boom
Subject: Vulnerability in prompt expansion of directories.
Date: Fri, 28 Mar 2003 19:20:02 +0100 (CET)

Configuration Information [Automatically generated, do not change]:
Machine: i386
OS: freebsd4.6
Compiler: cc
Compilation CFLAGS:  -DPROGRAM='bash' -DCONF_HOSTTYPE='i386' 
-DCONF_OSTYPE='freebsd4.6' -DCONF_MACHTYPE='i386-portbld-freebsd4.6' 
-DCONF_VENDOR='portbld' -DSHELL  -DHAVE_CONFIG_H  -I.  -I. -I./include -I./lib  
-O -pipe
uname output: FreeBSD toad.stack.nl 4.8-PRERELEASE FreeBSD 4.8-PRERELEASE #0: 
Mon Feb 24 16:47:28 GMT 2003     
address@hidden:/vwww.mnt/sources/4.x/obj/vwww.mnt/sources/4.x/sys/toad_vwww  
i386
Machine Type: i386-portbld-freebsd4.6

Bash Version: 2.05b
Patch Level: 0
Release Status: release

Description:
        When you have as current directory a directory with a 0x01 char
        in the name, a following '$' in the name will be subject to
        expansion, when there's '\w' or '\W' in PS1.
        The expansion takes place when the prompt is displayed.
        This is a security vulnerability if you can trick someone into
        changing his current working directory to one with a specially
        crafted name.
        This is only a problem for interactive sessions as no prompt
        is displayed from scripts etc.
        Other prompt backslash-escaped special characters (such as '\h' or
        '\u') probably have the same problem, but they're not likely to
        be exploited.
        It also works for other PS prompt variables.

Repeat-By:
        export PS1="\w "
        mkdir `echo -e \\\001`'$(id)'
        cd `echo -e \\\001`'$(id)'





reply via email to

[Prev in Thread] Current Thread [Next in Thread]