On 9/14/18 5:52 PM, j...@kitenet.net wrote:
> Bash Version: 4.4
> Patch Level: 23
> Release Status: release
>
> Description:
>
> CVE-2018-7738 was caused by a bash completion script using compgen -W
> with untrusted input. For some reason compgen -W evals its input:
>
> $ compgen -W '`cat /etc/shadow`'
> cat: /etc/shadow: Permission denied
>
> Which makes code like this turn out to be a security hole:
>
> DEVS_MPOINTS="$(mount | awk '{print $1, $3}')"
> COMPREPLY=( $(compgen -W "$DEVS_MPOINTS" -- $cur) )
>
> Grimm reviewed several other bash completion scripts for similar security
> holes, and while they didn't find any, there were several near misses
> where the code was probably only not explitable by accident.
> https://blog.grimm-co.com/post/malicious-command-execution-via-bash-completion-cve-2018-7738/
>
> I don't know why compgen -W evals; there may be a good reason. Or it may be
> a bug. The documentation for compgen does not seem to mention this
> behavior.
`compgen' works the same as any other programmable completion specified
with `complete'. The programmable completion documentation says:
"Next, the string specified as the argument to the -W option is consid-
ered. The string is first split using the characters in the IFS spe-
cial variable as delimiters. Shell quoting is honored. Each word is
then expanded using brace expansion, tilde expansion, parameter and
variable expansion, command substitution, and arithmetic expansion, as
described above under EXPANSION. The results are split using the rules
described above under Word Splitting."
Since the `compgen' description says:
"The matches will be generated in the same way as if the program-
mable completion code had generated them directly from a comple-
tion specification with the same flags."
it's hard to characterize this as a surprise.
The entire rationale for `-W' is to take a string composed of separate
words, possibly quoted (so possible completions can contain spaces or
metacharacters), expand them, and take the results of the expansion
as the list of possible completions. It's explicitly designed to split
and expand the contents of its argument, as if they were a set of words
on a command line, and the man page is clear about what it does.
There are a couple of obvious ways to go: you can single-quote the
argument to -W, which will inhibit any expansion before compgen gets
hold of it, and which is probably easiest; or you can do your own filtering
to restrict to matches of $cur with some combination of -X and negated
patterns.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, UTech, CWRU c...@case.edu http://tiswww.cwru.edu/~chet/
