bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

BUG in arithcomp: bypass of the check condition and arbitrary read/write


From: Raffaele Florio
Subject: BUG in arithcomp: bypass of the check condition and arbitrary read/write of shell variables
Date: Fri, 10 Apr 2020 09:44:31 +0000

Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O2 -g -pipe -Wall -Werror=format-security 
-Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions 
-fstack-protector-strong -grecord-gcc-switches 
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic 
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection 
-Wno-parentheses -Wno-format-security
uname output: Linux x230 5.5.10-100.fc30.x86_64 #1 SMP Wed Mar 18 14:34:46 UTC 
2020 x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-redhat-linux-gnu

Bash Version: 5.0
Patch Level: 11
Release Status: release

Description:
A bug in the function arithcomp (in test.c) allows an attacker to bypass every 
arithmetic check. Furthermore, this bug, allows an attacker to read/write 
arbitrary shell variables. The bug could be also triggered with the test 
built-in.
The check bypass and the arbitrary read/write is related to the same logic. 
Precisely by the functions called by arithcomp.
Indeed the functions called by arithcomp cause the evaluation of the supplied 
arithcomp function argument, potentially fed by user input.
The chain of the called functions is: evalexp (defined in expr.c) -> subexpr -> 
readtok + EXP_HIGHEST. In this way every arithmetic/bitwise/logical expressions 
or variable assignment is evaluated.
The cahin is triggered by the L347 or L350:
    337 static int
    338 arithcomp (s, t, op, flags)
    339      char *s, *t;
    340      int op, flags;
    341 {
.......
    345   if (flags & TEST_ARITHEXP)
    346     {
-> 347       l = evalexp (s, 0, &expok);
    348       if (expok == 0)
    349         return (FALSE);         /* should probably longjmp here */
-> 350       r = evalexp (t, 0, &expok);
    351       if (expok == 0)
    352         return (FALSE);         /* ditto */
    353     }
.....

I've also tried on MacOS with bash and sh. On Windows it works with git bash. 
Furthermore zsh is also affected. I didn't try other *sh shell.

Repeat-By:
====== Arithmetic check bypass ======
Give in input "y" (as string) to the below script and the equality will be 
satisfied. This is caused by the fact that the y given in input is evaluated as 
shell variable by the expression evaluator.
Here the script:
#!/path/to/bash

y=$RANDOM
read input
if [[ "$y" -eq "$input" ]]; then
    echo "OK"
fi

===== read/write of arbitrary shell variables ======
Give in input "x=42,xyz=UID" to the below script. After the test x will contain 
42 and xyz the UID value. The same logic in this bug. Furthermore if PWD is 
given, instead of UID, the PWD value is printed thanks the evaluation error.
Here the script:
#!/path/to/bash

x="VAL"
y=1234
read input

if [[ "$y" -eq "$input" ]]; then
echo "OK"
fi

echo "x = $x"
echo "xyz = $xyz"

Fix:
A solution could be to use a simpler equality strategy for the arithmetic 
comparison. More or less like the logic of the string comparison implemented in 
the same file (test.c). Basically, the latter, use a strcmp.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]