[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
BUG in arithcomp: bypass of the check condition and arbitrary read/write
From: |
Raffaele Florio |
Subject: |
BUG in arithcomp: bypass of the check condition and arbitrary read/write of shell variables |
Date: |
Fri, 10 Apr 2020 09:44:31 +0000 |
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O2 -g -pipe -Wall -Werror=format-security
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions
-fstack-protector-strong -grecord-gcc-switches
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
-Wno-parentheses -Wno-format-security
uname output: Linux x230 5.5.10-100.fc30.x86_64 #1 SMP Wed Mar 18 14:34:46 UTC
2020 x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-redhat-linux-gnu
Bash Version: 5.0
Patch Level: 11
Release Status: release
Description:
A bug in the function arithcomp (in test.c) allows an attacker to bypass every
arithmetic check. Furthermore, this bug, allows an attacker to read/write
arbitrary shell variables. The bug could be also triggered with the test
built-in.
The check bypass and the arbitrary read/write is related to the same logic.
Precisely by the functions called by arithcomp.
Indeed the functions called by arithcomp cause the evaluation of the supplied
arithcomp function argument, potentially fed by user input.
The chain of the called functions is: evalexp (defined in expr.c) -> subexpr ->
readtok + EXP_HIGHEST. In this way every arithmetic/bitwise/logical expressions
or variable assignment is evaluated.
The cahin is triggered by the L347 or L350:
337 static int
338 arithcomp (s, t, op, flags)
339 char *s, *t;
340 int op, flags;
341 {
.......
345 if (flags & TEST_ARITHEXP)
346 {
-> 347 l = evalexp (s, 0, &expok);
348 if (expok == 0)
349 return (FALSE); /* should probably longjmp here */
-> 350 r = evalexp (t, 0, &expok);
351 if (expok == 0)
352 return (FALSE); /* ditto */
353 }
.....
I've also tried on MacOS with bash and sh. On Windows it works with git bash.
Furthermore zsh is also affected. I didn't try other *sh shell.
Repeat-By:
====== Arithmetic check bypass ======
Give in input "y" (as string) to the below script and the equality will be
satisfied. This is caused by the fact that the y given in input is evaluated as
shell variable by the expression evaluator.
Here the script:
#!/path/to/bash
y=$RANDOM
read input
if [[ "$y" -eq "$input" ]]; then
echo "OK"
fi
===== read/write of arbitrary shell variables ======
Give in input "x=42,xyz=UID" to the below script. After the test x will contain
42 and xyz the UID value. The same logic in this bug. Furthermore if PWD is
given, instead of UID, the PWD value is printed thanks the evaluation error.
Here the script:
#!/path/to/bash
x="VAL"
y=1234
read input
if [[ "$y" -eq "$input" ]]; then
echo "OK"
fi
echo "x = $x"
echo "xyz = $xyz"
Fix:
A solution could be to use a simpler equality strategy for the arithmetic
comparison. More or less like the logic of the string comparison implemented in
the same file (test.c). Basically, the latter, use a strcmp.
- BUG in arithcomp: bypass of the check condition and arbitrary read/write of shell variables,
Raffaele Florio <=