lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCvwp5wfMKqUfPj1pSx=5ryrLeV3LAErCNZRVtZkdgWopWdUQ@mail.gmail.com>
Date: Wed, 21 Sep 2011 08:53:04 +1000
From: GloW - XD <doomxd@...il.com>
To: Valdis.Kletnieks@...edu
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Possibility to exploit bash "*" processing

Probably because anybody who's used the various Bourne-style shells for a
while
considers it a feature, not a bug

This seems to be true.
I was able to write a file to root, using a simple cat > cmd similar, in
BSD4.11,but when reporting it, Colin Percival seemed to think it more
amusing... they did although patch it being able to write root, as i was
able to write over the passwd file and add myself to it :P
this was a bug, but not a big one according to the lists at the time,
although when you can overwrite root, they might ask you to send them a
private post to bugs@...nel ;P lol.
have fun... thats not much tho... write a file now to another dir, then its
a bug.... and cat maybe could still, it was only ever patched on bsd...
problem was in gentoo tho also ;)
later and, hope you have fun working with the secteams if you do find a
deeper bug ;p look on BSD mailing lists for a cat bug...it is few years ago
now but it is there.. i still have the links somewhere but dont have time to
search, just lookup the bsd security lists if you need more infos about it
or, i could send you the posts from colin when i am in the office and have
more time.
cheers
xd

oops, sorry i cc'd valdis, sorry this was aimed at author more,... dont have
time to correct things i gotta run



On 21 September 2011 04:31, <Valdis.Kletnieks@...edu> wrote:

> On Tue, 20 Sep 2011 13:29:11 +0300, Kirils Solovjovs said:
> > Brought this up a year ago. Seems that no attention has been given to
> > this so far.
>
> Probably because anybody who's used the various Bourne-style shells for a
> while
> considers it a feature, not a bug.  This is a case where the Principle of
> Least
> Surprise comes up with different answers for novice users and for experts:
> "What? A * can expand into an unintended command argument?" "Yeah, what
> *else*
> would it do - the shell is just globbing, it doesn't know for sure what the
> command will do with the parameter".
>
> Multics had an alternate solution for this issue - when you issued a
> command,
> it would get invoked right then and there and take over terminal input and
> allow guided completions knowing what the command syntax was (think "love
> child
> of getopt and readline" ;) Of course, this doesn't play well with pipes,
> especially if the pipe further down the line has a redirection that fails.
>
> > One solution would be to modify "*" processing so that it ignores
> > filenames that start "-" similarly as it ignores filenames that start
> > with "."'
>
> No, you don't want to do that.  You want to provide an *optional*
> flag, similar to the shopt settings for 'dotglob', 'extglob', 'failglob',
> 'globstar',
> 'nocaseglob', and 'nullglob'.
>
> Having said that, a 'shopt dashglob' shouldn't be too hard to implement,
> as you can do 98% of it based on the already-existing 'dotglob' code, and
> that's probably the way to address the issue.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ