Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > gnu.bash.bug > #14582
| Path | csiph.com!xmission!news.snarked.org!news.linkpendium.com!news.linkpendium.com!panix!usenet.stanford.edu!not-for-mail |
|---|---|
| From | Chet Ramey <chet.ramey@case.edu> |
| Newsgroups | gnu.bash.bug |
| Subject | Re: compgen -W evaluation is leading to security holes |
| Date | Sat, 15 Sep 2018 14:24:09 -0400 |
| Organization | ITS, Case Western Reserve University |
| Lines | 66 |
| Approved | bug-bash@gnu.org |
| Message-ID | <mailman.822.1537035860.1284.bug-bash@gnu.org> (permalink) |
| References | <20180914215243.487991140754@darkstar.kitenet.net> |
| Reply-To | chet.ramey@case.edu |
| NNTP-Posting-Host | lists.gnu.org |
| Mime-Version | 1.0 |
| Content-Type | text/plain; charset=utf-8 |
| Content-Transfer-Encoding | 7bit |
| X-Trace | usenet.stanford.edu 1537035860 20445 208.118.235.17 (15 Sep 2018 18:24:20 GMT) |
| X-Complaints-To | action@cs.stanford.edu |
| Cc | chet.ramey@case.edu |
| To | joey@kitenet.net, bug-bash@gnu.org, bash@packages.debian.org |
| Envelope-to | bug-bash@gnu.org |
| X-Google-DKIM-Signature | v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:reply-to:cc:subject:to:references:from :organization:message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=mFFVHD8TK6J/xftQunSXXe31zAe+R63rig8bf/7R6+I=; b=TQu8Oe+l23IS9/Psx5RrvzdHJBFTQGHm1QTUDUYudEdgrZmCj/AugRJwstu6ib+UWy BBFvLLJPbZ6gBJLqM/6jgPij74hqUeEUwiVe2rVsbaifhbN79RthpM/dwfvvQLUl8i/V 7RLqzzeMqjJNRJV7vHgSCdYNOJDwllBrrJyTfuAaNGXktL3Hx/zEz8e/WedEZCzHDFyT 6lzvVwzH2gS5oRK7/c66c7kV5zwnHuPJY7mk2Js2d2mlQkpSAzmaDewsKbdoHdMcpvQs qV6jrCVMH49QlXks4t7orj1PLrGWF4B4YHqMazaAwyBNCwYpRSK+lSUM79NAecNmrSJJ Dd2g== |
| X-Gm-Message-State | APzg51Dq+mnmkHtTwbdRIL9LAMPfHWKsh/QpE/Cj6pJhctGLj7K6ACz0 wE3/drhr7enriXhWEhl1lfg1ARPnvycScb4TbRFprJwnrBoxl5/ZVMvmBBzIDjWUmd7g+acaWHz clgigSweYeMQ= |
| X-Received | by 2002:a6b:22cc:: with SMTP id i195-v6mr9397050ioi.292.1537035851619; Sat, 15 Sep 2018 11:24:11 -0700 (PDT) |
| X-Google-Smtp-Source | ANB0VdaQuGDmiKKC2E4zCNyiHjNKkqMIsUV7KcMEueK1Gjxs8JJ3VwbTj/JCfom/sCeKmOEhm7DEPw== |
| X-Received | by 2002:a6b:22cc:: with SMTP id i195-v6mr9397035ioi.292.1537035851356; Sat, 15 Sep 2018 11:24:11 -0700 (PDT) |
| User-Agent | Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 |
| In-Reply-To | <20180914215243.487991140754@darkstar.kitenet.net> |
| Content-Language | en-US |
| X-Junkmail-Status | score=7/90, host=mpv1-2015.case.edu |
| X-Junkmail-PrAS-Raw | score=7/90, refid=2.7.2:2018.9.15.170916:17:7.944, ip=, rules=__YOUTUBE_RCVD, __X_GOOGLE_DKIM_SIGNATURE, __HAS_REPLYTO, __HAS_CC_HDR, __PHISH_SPEAR_SUBJ_SUBJECT, __SUBJ_REPLY, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __SUBJ_ALPHA_END, __TO_MALFORMED_2, __TO_NO_NAME, __REFERENCES, __HAS_FROM, FROM_EDU_TLD, __HAS_MSGID, __SANE_MSGID, DATE_TZ_NA, __USER_AGENT, __MOZILLA_USER_AGENT, __MIME_VERSION, __IN_REP_TO, __CT, __CT_TEXT_PLAIN, __CTE, __REPLYTO_SAMEAS_FROM_ADDY, __REPLYTO_SAMEAS_FROM_ACC, __FROM_DOMAIN_IN_ANY_CC1, __FROM_DOMAIN_IN_ANY_CC2, __REPLYTO_SAMEAS_FROM_DOMAIN, __ANY_URI, __HTTPS_URI, __URI_WITH_PATH, __URI_NO_WWW, __CP_URI_IN_BODY, __STOCK_PHRASE_7, __OEM_PRICE, __FRAUD_MONEY_CURRENCY_DOLLAR, __SUBJ_ALPHA_NEGATE, __MULTIPLE_URI_TEXT, __URI_IN_BODY, __URI_NOT_IMG, __FORWARDED_MSG, __NO_HTML_TAG_RAW, BODYTEXTP_SIZE_3000_LESS, BODY_SIZE_2000_2999, __MIME_TEXT_P1, __MIME_TEXT_ONLY, __URI_NS, [TRUNCATED], so=2010-03-03 19:42:08, dmn=2016-08-03-0138 |
| X-detected-operating-system | by eggs.gnu.org: GNU/Linux 2.4.x-2.6.x [generic] |
| X-Received-From | 129.22.103.226 |
| X-BeenThere | bug-bash@gnu.org |
| X-Mailman-Version | 2.1.21 |
| Precedence | list |
| List-Id | Bug reports for the GNU Bourne Again SHell <bug-bash.gnu.org> |
| List-Unsubscribe | <https://lists.gnu.org/mailman/options/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=unsubscribe> |
| List-Archive | <http://lists.gnu.org/archive/html/bug-bash/> |
| List-Post | <mailto:bug-bash@gnu.org> |
| List-Help | <mailto:bug-bash-request@gnu.org?subject=help> |
| List-Subscribe | <https://lists.gnu.org/mailman/listinfo/bug-bash>, <mailto:bug-bash-request@gnu.org?subject=subscribe> |
| Xref | csiph.com gnu.bash.bug:14582 |
Show key headers only | View raw
On 9/14/18 5:52 PM, joey@kitenet.net wrote:
> Bash Version: 4.4
> Patch Level: 23
> Release Status: release
>
> Description:
>
> CVE-2018-7738 was caused by a bash completion script using compgen -W
> with untrusted input. For some reason compgen -W evals its input:
>
> $ compgen -W '`cat /etc/shadow`'
> cat: /etc/shadow: Permission denied
>
> Which makes code like this turn out to be a security hole:
>
> DEVS_MPOINTS="$(mount | awk '{print $1, $3}')"
> COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) )
>
> Grimm reviewed several other bash completion scripts for similar security
> holes, and while they didn't find any, there were several near misses
> where the code was probably only not explitable by accident.
> https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/
>
> I don't know why compgen -W evals; there may be a good reason. Or it may be
> a bug. The documentation for compgen does not seem to mention this
> behavior.
`compgen' works the same as any other programmable completion specified
with `complete'. The programmable completion documentation says:
"Next, the string specified as the argument to the -W option is consid-
ered. The string is first split using the characters in the IFS spe-
cial variable as delimiters. Shell quoting is honored. Each word is
then expanded using brace expansion, tilde expansion, parameter and
variable expansion, command substitution, and arithmetic expansion, as
described above under EXPANSION. The results are split using the rules
described above under Word Splitting."
Since the `compgen' description says:
"The matches will be generated in the same way as if the program-
mable completion code had generated them directly from a comple-
tion specification with the same flags."
it's hard to characterize this as a surprise.
The entire rationale for `-W' is to take a string composed of separate
words, possibly quoted (so possible completions can contain spaces or
metacharacters), expand them, and take the results of the expansion
as the list of possible completions. It's explicitly designed to split
and expand the contents of its argument, as if they were a set of words
on a command line, and the man page is clear about what it does.
There are a couple of obvious ways to go: you can single-quote the
argument to -W, which will inhibit any expansion before compgen gets
hold of it, and which is probably easiest; or you can do your own filtering
to restrict to matches of $cur with some combination of -X and negated
patterns.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU chet@case.edu http://tiswww.cwru.edu/~chet/
Back to gnu.bash.bug | Previous | Next | Find similar | Unroll thread
Re: compgen -W evaluation is leading to security holes Chet Ramey <chet.ramey@case.edu> - 2018-09-15 14:24 -0400
csiph-web