Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #16116
| From | Raffaele Florio <raffaeleflorio@protonmail.com> |
|---|---|
| Newsgroups | gnu.bash.bug |
| Subject | BUG in arithcomp: bypass of the check condition and arbitrary read/write of shell variables |
| Date | 2020-04-10 09:44 +0000 |
| Message-ID | <mailman.448.1586525862.2644.bug-bash@gnu.org> (permalink) |
| References | <wpJilm7mRPuWJxLdt3JR1F2vB5ji7oedWngUa1pgq0nIgwsmVcOUnTWfhzPfE0WZ0Rqj2R_QXw3ZygA_hQQvBtlU_Une8VmMD_dEHm0jUTU=@protonmail.com> |
Machine: x86_64
OS: linux-gnu
Compiler: gcc
Compilation CFLAGS: -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wno-parentheses -Wno-format-security
uname output: Linux x230 5.5.10-100.fc30.x86_64 #1 SMP Wed Mar 18 14:34:46 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Machine Type: x86_64-redhat-linux-gnu
Bash Version: 5.0
Patch Level: 11
Release Status: release
Description:
A bug in the function arithcomp (in test.c) allows an attacker to bypass every arithmetic check. Furthermore, this bug, allows an attacker to read/write arbitrary shell variables. The bug could be also triggered with the test built-in.
The check bypass and the arbitrary read/write is related to the same logic. Precisely by the functions called by arithcomp.
Indeed the functions called by arithcomp cause the evaluation of the supplied arithcomp function argument, potentially fed by user input.
The chain of the called functions is: evalexp (defined in expr.c) -> subexpr -> readtok + EXP_HIGHEST. In this way every arithmetic/bitwise/logical expressions or variable assignment is evaluated.
The cahin is triggered by the L347 or L350:
337 static int
338 arithcomp (s, t, op, flags)
339 char *s, *t;
340 int op, flags;
341 {
.......
345 if (flags & TEST_ARITHEXP)
346 {
-> 347 l = evalexp (s, 0, &expok);
348 if (expok == 0)
349 return (FALSE); /* should probably longjmp here */
-> 350 r = evalexp (t, 0, &expok);
351 if (expok == 0)
352 return (FALSE); /* ditto */
353 }
.....
I've also tried on MacOS with bash and sh. On Windows it works with git bash. Furthermore zsh is also affected. I didn't try other *sh shell.
Repeat-By:
====== Arithmetic check bypass ======
Give in input "y" (as string) to the below script and the equality will be satisfied. This is caused by the fact that the y given in input is evaluated as shell variable by the expression evaluator.
Here the script:
#!/path/to/bash
y=$RANDOM
read input
if [[ "$y" -eq "$input" ]]; then
echo "OK"
fi
===== read/write of arbitrary shell variables ======
Give in input "x=42,xyz=UID" to the below script. After the test x will contain 42 and xyz the UID value. The same logic in this bug. Furthermore if PWD is given, instead of UID, the PWD value is printed thanks the evaluation error.
Here the script:
#!/path/to/bash
x="VAL"
y=1234
read input
if [[ "$y" -eq "$input" ]]; then
echo "OK"
fi
echo "x = $x"
echo "xyz = $xyz"
Fix:
A solution could be to use a simpler equality strategy for the arithmetic comparison. More or less like the logic of the string comparison implemented in the same file (test.c). Basically, the latter, use a strcmp.
Back to gnu.bash.bug | Previous | Next | Find similar
BUG in arithcomp: bypass of the check condition and arbitrary read/write of shell variables Raffaele Florio <raffaeleflorio@protonmail.com> - 2020-04-10 09:44 +0000
csiph-web