Re: I've found a vulnerability in bash

[Alex fxmbsw7 Ratchev]

dude, again, --version is not bashs arg, cp and touch et la are not bash
and what u do there is start a suid bash
is that such a wonder ?

On Fri, Nov 19, 2021, 11:53 Marshall Whittaker <marshallwhittaker@gmail.com>
wrote:

> You could argue that bash should parse filenames globbed from * that start
> with - and exclude them specifically, so I'll have to respectfully
> disagree.  Also, it is not the programs doing the parsing of *, that is a
> function of bash.  Try typing * in just your terminal/command line and see
> what happens.
> A short whitepaper on it has been made public at:
> https://oxagast.org/posts/bash-wildcard-expansion-arbitrary-command-line-arguments-0day/
> complete with a mini PoC.
>
> On Wed, Nov 17, 2021 at 9:04 AM Chet Ramey <chet.ramey@case.edu> wrote:
>
>> On 11/17/21 4:16 AM, Marshall Whittaker wrote:
>>
>> > This shouldn't happen beacuse you can drop a file and then redirect
>> > other code for example calling a script if you only have access to drop
>> > a file.  Say a cronjob was running every hour, and it did rm * on some
>> > folder, by expansion, you could expand it to -riv or whatever you
>> > wanted and redirect program flow from there.
>>
>> That's just bad scripting.
>>
>> --
>> ``The lyf so short, the craft so long to lerne.'' - Chaucer
>>                  ``Ars longa, vita brevis'' - Hippocrates
>> Chet Ramey, UTech, CWRU    chet@case.edu    http://tiswww.cwru.edu/~chet/
>>
>