Hi
For the record it does not work with "fake" exported functions. I was scared
this could be really bad be so I've tested this case :
Here is inject.py
#!/usr/bin/python -tt
import os
os.putenv('BASH_FUNC_foo%%', '''() { avg=0;
avg=((avg+6));
echo -n "This function was never called. Bash version:";
/bin/bash --version | head -1;
}''')
os.system("bash")
And, it happily failed:
$ python inject.py
bash: foo: ligne 1: Erreur de syntaxe près du symbole inattendu « ( »
bash: foo: ligne 1: ` avg=((avg+6));'
bash: avertissement : foo: ignoring function definition attempt
bash: erreur lors de l'import de la définition de fonction pour « foo »
$
I think the shellshock mitigations have blocked the injection from happening.
Do you think these should/could be applied to all function definitions?
Regards.
D
--
Damien Nadé <[email protected]>
Astek Sud-Est pour Orange/OF/DTSI/DSI/DSI DFY/HBX/GOT
From: bug-bash [mailto:[email protected]] On Behalf
Of David Maas
Sent: lundi 18 avril 2016 21:52
To: [email protected]
Subject: Bug in syntax checking causes unintended running of a function
Hi! I found a bug in bash, I've checked versions 4.1 (centos 6.7), 4.2 (centos
7.2), and 4.3.30 (from the ftp site). The bug is that if you do a double
parenthesis math thing with the wrong syntax, the script runs the function
during what I assume is syntax checking. Demonstration script is attached.
-------------- Script --------------
#!/bin/bash
#Should be avg=((avg+6))
function neverrunme
{
avg=0
avg=(($avg+6))
echo -n "This function was never called. Bash version:"
/bin/bash --version | head -1
}
echo "Welcome to this demonstration."
-------------- Output --------------
[dm5284@juphub ~]$ ./test-file.sh
./test-file.sh: line 7: syntax error near unexpected token `('
./test-file.sh: line 7: ` avg=(($avg+6))'
This function was never called. Bash version:GNU bash, version
4.2.46(1)-release (x86_64-redhat-linux-gnu)
./test-file.sh: line 10: syntax error near unexpected token `}'
./test-file.sh: line 10: `}'
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations
confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce
message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou
falsifie. Merci.
This message and its attachments may contain confidential or privileged
information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete
this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been
modified, changed or falsified.
Thank you.
