lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20121119190043.GA28955@hunt>
Date: Mon, 19 Nov 2012 11:00:43 -0800
From: Seth Arnold <seth.arnold@...onical.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: bash path normalization bug

On Thu, Nov 15, 2012 at 10:09:56PM +0200, Andris Berzins wrote:
> $ bash --version<br />GNU bash, version 4.2.8(1)-release
> (x86_64-pc-linux-gnu)<br /><br />$ bash --version<br />GNU bash,
> version 4.0.28(1)-release (i386-pc-solaris2.8)<br /><br />Bash fails
> to normalize path starting starting with "//" and will consider "/"
> and "//" to be different paths:<br /><br />$ cd /tmp &amp;&amp; pwd<br
> />/tmp<br />$ cd //tmp &amp;&amp; pwd<br />//tmp<br /><br />Scripts
> which do path normalization by:<code><span class="pln"><br
> />normalDir</span><span class="pun">=</span><span class="str">`cd
> "${dirToNormalize}";pwd`</span></code><br /><br />and check it against
> blacklists are vulnerable.
> 

You've mistaken a feature for a bug.

The following quote is from IEEE Std 1003.1, 2004 Edition:

    A pathname consisting of a single slash shall resolve to the root
    directory of the process. A null pathname shall not be successfully
    resolved. A pathname that begins with two successive slashes may be
    interpreted in an implementation-defined manner, although more than
    two leading slashes shall be treated as a single slash.

http://pubs.opengroup.org/onlinepubs/000095399/basedefs/xbd_chap04.html#tag_04_11

Bash has chosen to maintain the // version of a path in case the rest
of the system chooses to do something clever with it (such as automount
network shares).

Checking blacklists are more of a usability feature than a security
feature; if it were a security feature, it'd be a whitelist.


Download attachment "signature.asc" of type "application/pgp-signature" (491 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ