Wednesday, November 12, 2008

Bash Path Security Gotcha!

The devil they say is in details, even the simple Bash path variable can open some security problems on your box. Every Bash documentation out there warns us not leave '.' in the path (it matches current directory). They however don't seems to mention that leaving a dangling ':' (colon) at the beginning or the end of Bash $PATH does create the same security vulnerability.

# Standard Bash $PATH $ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games # Let's get evil, append a colon at the end $ export PATH="$PATH:" # Let's check the tainted Bash $PATH $ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games: # Create Trojan application (of sorts) $ echo "echo foo"> app $ chmod +x app # Run the command and Viola! $ app foo

2 comments:

  1. This is a feature of Bash; it is mentioned in Bash manual, see Bash(1)

    ReplyDelete
  2. Icy, this is a 'Gotcha' post.

    In programming, a gotcha is a feature of a system, a program or a programming language that works in the way it is documented but is counter-intuitive and almost invites mistakes because it is both enticingly easy to invoke and completely unexpected and/or unreasonable in its outcome.
    Source: http://en.wikipedia.org/wiki/Gotcha_(programming)

    ReplyDelete

You can leave a comment here using your Google account, OpenID or as an anonymous user.

Popular Posts