|
From: | Nils Emmerich |
Subject: | Re: Code Execution in Mathematical Context |
Date: | Tue, 4 Jun 2019 16:39:51 +0200 |
User-agent: | Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.7.0 |
If you run echo "$((v))" and v is a user supplied variable.If the user put a specific string in v, he can execute whatever he wants in the name of the script, because echo "$((v))" will run that code.
Am 6/4/2019 um 4:29 PM schrieb Chet Ramey:
On 6/4/19 7:42 AM, Nils Emmerich wrote:Bash Version: 5.0 Patch Level: 0 Release Status: release Description: It is possible to get code execution via a user supplied variable in the mathematical context. I don't know if this is considered a bug or not, but if not, I think people should be made aware that the mathematical context is unsafe.The tokens in a mathematical expression undergo a set of word expansions. If you could post the example you're using we can analyze its behavior.
-- Nils Emmerich ERNW Research GmbH Carl-Bosch-Str. 4 69115 Heidelberg www.ernw.de Tel. +49 6221 480390 (Sekretariat) Handelsregister Mannheim HRB 723285 Geschäftsführer: Dr.-Ing. Andreas Dewald Blog: www.insinuator.net Conference: www.troopers.de
[Prev in Thread] | Current Thread | [Next in Thread] |