Path: csiph.com!goblin1!goblin.stu.neva.ru!usenet.stanford.edu!not-for-mail
From: Greg Wooledge <wooledg@eeg.ccf.org>
Newsgroups: gnu.bash.bug
Subject: Re: BUG in arithcomp: bypass of the check condition and arbitrary read/write of shell variables
Date: Fri, 10 Apr 2020 10:47:16 -0400
Lines: 29
Approved: bug-bash@gnu.org
Message-ID: <mailman.452.1586530068.2644.bug-bash@gnu.org>
References: <wpJilm7mRPuWJxLdt3JR1F2vB5ji7oedWngUa1pgq0nIgwsmVcOUnTWfhzPfE0WZ0Rqj2R_QXw3ZygA_hQQvBtlU_Une8VmMD_dEHm0jUTU=@protonmail.com> <20200410144716.GH845@eeg.ccf.org>
NNTP-Posting-Host: lists.gnu.org
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Trace: usenet.stanford.edu 1586530069 5485 209.51.188.17 (10 Apr 2020 14:47:49 GMT)
X-Complaints-To: action@cs.stanford.edu
Cc: "bug-bash@gnu.org" <bug-bash@gnu.org>
To: Raffaele Florio <raffaeleflorio@protonmail.com>
Envelope-to: bug-bash@gnu.org
Mail-Followup-To: Raffaele Florio <raffaeleflorio@protonmail.com>, "bug-bash@gnu.org" <bug-bash@gnu.org>
Content-Disposition: inline
In-Reply-To: <wpJilm7mRPuWJxLdt3JR1F2vB5ji7oedWngUa1pgq0nIgwsmVcOUnTWfhzPfE0WZ0Rqj2R_QXw3ZygA_hQQvBtlU_Une8VmMD_dEHm0jUTU=@protonmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.2.x-3.x [generic] [fuzzy]
X-Received-From: 139.137.100.1
X-BeenThere: bug-bash@gnu.org
X-Mailman-Version: 2.1.23
Precedence: list
List-Id: Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe>
List-Archive: <https://lists.gnu.org/archive/html/bug-bash>
List-Post: <mailto:bug-bash@gnu.org>
List-Help: <mailto:bug-bash-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe>
X-Mailman-Original-Message-ID: <20200410144716.GH845@eeg.ccf.org>
X-Mailman-Original-References: <wpJilm7mRPuWJxLdt3JR1F2vB5ji7oedWngUa1pgq0nIgwsmVcOUnTWfhzPfE0WZ0Rqj2R_QXw3ZygA_hQQvBtlU_Une8VmMD_dEHm0jUTU=@protonmail.com>
Xref: csiph.com gnu.bash.bug:16117

On Fri, Apr 10, 2020 at 09:44:31AM +0000, Raffaele Florio via Bug reports for the GNU Bourne Again SHell wrote:
> Indeed the functions called by arithcomp cause the evaluation of the supplied arithcomp function argument, potentially fed by user input.

> Give in input "x=42,xyz=UID" to the below script. After the test x will contain 42 and xyz the UID value. The same logic in this bug. Furthermore if PWD is given, instead of UID, the PWD value is printed thanks the evaluation error.

Yeah, this is a "well known feature".  Arithmetic expansions of all kinds
in bash are susceptible to arbitrary code execution, if any part of
the arithmetic expansion is fed by unsafe input.

This applies to every single place an arithmetic context can appear,
including the let and (( commands, the $(( expansion, the -eq operator
of the [[ command, indexed array indices, and the numeric parts of
the ${variable:start:length} expansion.  And possibly more.

unicorn:~$ x='a[$(id >&2)0]' a=7
unicorn:~$ [[ "$x" -eq 42 ]]
uid=1000(greg) gid=1000(greg) groups=1000(greg),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev)
unicorn:~$ echo "${y[x]}"
uid=1000(greg) gid=1000(greg) groups=1000(greg),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev)

unicorn:~$ echo "${PWD:x}"
uid=1000(greg) gid=1000(greg) groups=1000(greg),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),108(netdev)
reg
unicorn:~$ 

To the best of my knowledge, this is not considered a bug in bash,
but rather a bug in your script, if you fail to sanitize user input
before passing it to an arithmetic context.