2014-09-30 17:06:22 +0100, Stephane Chazelas: [...] > Same with "export -p": > > $ env -i $'a\necho test\na=b' ksh -c 'export -p' | ksh > test > > And bash is also vulnerable. > > $ env -i $'a\necho test\na=b' bash -c 'export -p' > declare -x OLDPWD > declare -x PWD="/home/stephane" > declare -x SHLVL="1" > declare -x a > echo test > a > > (that output doesn't make much sense, suggesting it may also > hide more bugs and vulnerabilities). [...]
Sorry, it does make sense. "bash" just outputs: declare -x var-name when var-name is not a valid identifier in the current locale. Both ksh and bash's can be exploited using the LC_XXX with ssh ForceCommand vector (and the output of "export -p" being evaluated somehow). -- Stephane
