Re: Random parser error of $() when there is a case inside
Thanks Chet and Dennis, Dennis, your workaround did work. Regards, Em sáb, 5 de dez de 2015 às 18:58, Chet Ramey escreveu: > On 12/4/15 1:25 PM, Luiz Angelo Daros de Luca wrote: > > > Bash Version: 4.2 > > Patch Level: 53 > > Release Status: release > > > > Description: > > While writing a script, I faced a random parser error with code like > > > > A=$( > > ... > > case b in > > c) > > ... > > esac > > ... > > ) > > > > Minor changes like renaming a variable skips the problem. It seems that > the > > parser gets confused in some cases. > > This was fixed back in bash-4.3. > > Chet > -- > ``The lyf so short, the craft so long to lerne.'' - Chaucer > ``Ars longa, vita brevis'' - Hippocrates > Chet Ramey, ITS, CWRUc...@case.edu > http://cnswww.cns.cwru.edu/~chet/ > -- Luiz Angelo Daros de Luca
Bug on function.
hi, there's a bug on function that allow attacker to inject parameters.
./report.sh "echo ln -s /sbin/halt; mv halt ;reboot8 ; reboot" AAA AAA AAA
AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
#!/bin/bash
function library {
echo ${@}
}
function Gateway {
unset param
param[7]="$8"
piaram[8]="$9"
param[9]="$10"
param[10]="$11"
param[11]="$12"
param[12]="$13"
param[13]="$14"
param[14]="$15"
param[15]="$16"
param[16]="$17"
param[17]="$18"
param[18]="$19"
#echo "After Passing Thru Function: ${param[@]}"
echo "9th: `$9`"
echo "10th: $10"
echo "11th: $11"
echo "12th: $12"
echo "13th: $13"
echo "14th: $14"
echo "15th: $15"
echo "16th: $16"
echo "17th: $17"
$18
echo "19th: $19"
echo "20th: $20"
}
echo "Before Passing Thru Function: $*"
Gateway $*
Re: Bug on function.
Hi,
Please try my payload on that script, before telling me what $@ and $*
does. and see if my param1 injection will cause your system to reboot on
18th param. it has nothing to do with $@ & $*, it's another bugs on bash
which i found out, similar to shockbash, except it's harder to execute due
to the requirement for it to happen.
Regards
KT
On Tue, Dec 8, 2015 at 2:30 PM, Quentin wrote:
> On 2015-12-08 02:45, Kelvin Tan Thiam Teck wrote:
>
>> hi, there's a bug on function that allow attacker to inject
>> parameters.
>> ./report.sh "echo ln -s /sbin/halt; mv halt ;reboot8 ; reboot" AAA AAA
>> AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA
>> AAA
>>
>> #!/bin/bash
>> function library {
>> echo ${@}
>> }
>> function Gateway {
>> unset param
>> param[7]="$8"
>> piaram[8]="$9"
>> param[9]="$10"
>> param[10]="$11"
>> param[11]="$12"
>> param[12]="$13"
>> param[13]="$14"
>> param[14]="$15"
>> param[15]="$16"
>> param[16]="$17"
>> param[17]="$18"
>> param[18]="$19"
>> #echo "After Passing Thru Function: ${param[@]}"
>> echo "9th: `$9`"
>> echo "10th: $10"
>> echo "11th: $11"
>> echo "12th: $12"
>> echo "13th: $13"
>> echo "14th: $14"
>> echo "15th: $15"
>> echo "16th: $16"
>> echo "17th: $17"
>> $18
>> echo "19th: $19"
>> echo "20th: $20"
>> }
>> echo "Before Passing Thru Function: $*"
>> Gateway $*
>>
>
> Hi,
>
> I think you should read the "Special Parameters" and "Parameter Expansion"
> sections of the Bash man page.
> Specifically:
> * $* does not expand parameters as separate words (as "$@" does)
> * positional parameters with more than 1 digit require braces: "${11}"
>
> Cheers,
> Quentin
>
Re: Bug on function.
On Tue, Dec 8, 2015 at 9:16 AM, Kelvin Tan Thiam Teck wrote: > Hi, > Please try my payload on that script, before telling me what $@ and $* > does. and see if my param1 injection will cause your system to reboot on > 18th param. it has nothing to do with $@ & $*, it's another bugs on bash > which i found out, similar to shockbash, except it's harder to execute due > to the requirement for it to happen. > > > Regards > KT > > But it's code injection because your script is badly written, it's not a bug in bash. It's badly written because without quotes around "$@" the parameters are split into words and then you tell bash to execute one of these words. Bash does what it is supposed to do in your example. And yes, there are many many way to write a script that allows code injections. Shellshock was entirely different in that it allowed to inject code no matter how the script was written..
Re: Bug on function.
dumbass@Lucifer:~$ ./report.sh "echo ln -s /sbin/halt; mv halt ;reboot8 ;* reboot*" AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA Before Passing Thru Function: echo ln -s /sbin/halt; mv halt ;reboot8 ; reboot AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA AAA reboot: Need to be root 9th: 10th: echo0 11th: echo1 12th: echo2 13th: echo3 14th: echo4 15th: echo5 16th: echo6 17th: echo7 ./report.sh: line 29: echo8: command not found 19th: echo9 20th: ln0 dumbass@Lucifer:~$ On Tue, Dec 8, 2015 at 3:27 PM, Pierre Gaston wrote: > On Tue, Dec 8, 2015 at 9:16 AM, Kelvin Tan Thiam Teck > wrote: > >> Hi, >> Please try my payload on that script, before telling me what $@ and $* >> does. and see if my param1 injection will cause your system to reboot on >> 18th param. it has nothing to do with $@ & $*, it's another bugs on bash >> which i found out, similar to shockbash, except it's harder to execute due >> to the requirement for it to happen. >> >> >> Regards >> KT >> >> > But it's code injection because your script is badly written, it's not a > bug in bash. > It's badly written because without quotes around "$@" the parameters are > split into words and then you tell bash to execute one of these words. > Bash does what it is supposed to do in your example. > > And yes, there are many many way to write a script that allows code > injections. > > Shellshock was entirely different in that it allowed to inject code no > matter how the script was written.. > >
