[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Vulnerability in prompt expansion of directories.
From: |
Serge van den Boom |
Subject: |
Vulnerability in prompt expansion of directories. |
Date: |
Fri, 28 Mar 2003 19:20:02 +0100 (CET) |
Configuration Information [Automatically generated, do not change]:
Machine: i386
OS: freebsd4.6
Compiler: cc
Compilation CFLAGS: -DPROGRAM='bash' -DCONF_HOSTTYPE='i386'
-DCONF_OSTYPE='freebsd4.6' -DCONF_MACHTYPE='i386-portbld-freebsd4.6'
-DCONF_VENDOR='portbld' -DSHELL -DHAVE_CONFIG_H -I. -I. -I./include -I./lib
-O -pipe
uname output: FreeBSD toad.stack.nl 4.8-PRERELEASE FreeBSD 4.8-PRERELEASE #0:
Mon Feb 24 16:47:28 GMT 2003
jwk@vwww.stack.nl:/vwww.mnt/sources/4.x/obj/vwww.mnt/sources/4.x/sys/toad_vwww
i386
Machine Type: i386-portbld-freebsd4.6
Bash Version: 2.05b
Patch Level: 0
Release Status: release
Description:
When you have as current directory a directory with a 0x01 char
in the name, a following '$' in the name will be subject to
expansion, when there's '\w' or '\W' in PS1.
The expansion takes place when the prompt is displayed.
This is a security vulnerability if you can trick someone into
changing his current working directory to one with a specially
crafted name.
This is only a problem for interactive sessions as no prompt
is displayed from scripts etc.
Other prompt backslash-escaped special characters (such as '\h' or
'\u') probably have the same problem, but they're not likely to
be exploited.
It also works for other PS prompt variables.
Repeat-By:
export PS1="\w "
mkdir `echo -e \\\001`'$(id)'
cd `echo -e \\\001`'$(id)'
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- Vulnerability in prompt expansion of directories.,
Serge van den Boom <=