Re: I've found a vulnerability in bash

[Alex fxmbsw7 Ratchev]

this is due to parsing of args by specific app, -- arg indicates
end-of-switches

On Wed, Nov 17, 2021, 13:41 Marshall Whittaker <marshallwhittaker@gmail.com>
wrote:

> Software: bash
> Version: 5.0.17(1)-release (x86_64-pc-linux-gnu)
>
> --- SNIP ---
> [marshall@jerkon]{04:09 AM}: [~/bashful] $ touch -- '--version'
> [marshall@jerkon]{04:09 AM}: [~/bashful] $ touch a && mkdir b
> [marshall@jerkon]{04:09 AM}: [~/bashful] $ ls -l
> total 4
> -rw-rw-r-- 1 marshall marshall    0 Nov 17 04:09 a
> drwxrwxr-x 2 marshall marshall 4096 Nov 17 04:09 b
> -rw-rw-r-- 1 marshall marshall    0 Nov 17 04:09 --version
> [marshall@jerkon]{04:09 AM}: [~/bashful] $ mv * b
> mv (GNU coreutils) 8.30
> Copyright (C) 2018 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <
> https://gnu.org/licenses/gpl.html>;.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Written by Mike Parker, David MacKenzie, and Jim Meyering.
> [marshall@jerkon]{04:09 AM}: [~/bashful] $ rm *
> rm (GNU coreutils) 8.30
> Copyright (C) 2018 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <
> https://gnu.org/licenses/gpl.html>;.
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Written by Paul Rubin, David MacKenzie, Richard M. Stallman,
> and Jim Meyering.
> [marshall@jerkon]{04:09 AM}: [~/bashful] $
> --- SNIP ---
>
> This shouldn't happen beacuse you can drop a file and then redirect
> other code for example calling a script if you only have access to drop
> a file.  Say a cronjob was running every hour, and it did rm * on some
> folder, by expansion, you could expand it to -riv or whatever you
> wanted and redirect program flow from there.
>
> Thanks,
> Marshall Whittaker / oxagast
>
>
>