发布时间 :1999-04-20 00:00:00
修订时间 :2014-12-31 10:18:18

[原文]The prompt parsing in bash allows a local user to execute commands as another user by creating a directory with the name of the command to execute.

[CNNVD]Bash Path Embedded代码执行漏洞(CNNVD-199904-032)


- CVSS (基础分值)

CVSS分值: 4.6 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-94 [对生成代码的控制不恰当(代码注入)]

- CPE (受影响的平台与产品)

cpe:/a:gnu:bash:2.03GNU Bourne-Again SHellbash (GNU Bash) 2.03
cpe:/a:gnu:bash:2.01GNU Bourne-Again SHellbash (GNU Bash) 2.01
cpe:/a:gnu:bash:1.14.1GNU Bourne-Again SHellbash (GNU Bash) 1.14.1
cpe:/a:gnu:bash:2.05:aGNU Bourne-Again SHellbash (GNU Bash) 2.05a
cpe:/a:gnu:bash:2.02GNU Bourne-Again SHellbash (GNU Bash) 2.02
cpe:/a:gnu:bash:1.14.7GNU Bourne-Again SHellbash (GNU Bash) 1.14.7
cpe:/a:gnu:bash:2.0GNU Bourne-Again SHellbash (GNU Bash) 2.0
cpe:/a:gnu:bash:1.14.6GNU Bourne-Again SHellbash (GNU Bash) 1.14.6
cpe:/a:gnu:bash:2.02.1GNU Bourne-Again SHellbash (GNU Bash) 2.02.1
cpe:/a:gnu:bash:2.04GNU Bourne-Again SHellbash (GNU Bash) 2.04
cpe:/a:gnu:bash:2.05GNU Bourne-Again SHellbash (GNU Bash) 2.05
cpe:/a:gnu:bash:1.14.4GNU Bourne-Again SHellbash (GNU Bash) 1.14.4
cpe:/a:gnu:bash:1.14.3GNU Bourne-Again SHellbash (GNU Bash) 1.14.3
cpe:/a:gnu:bash:1.14.0GNU Bourne-Again SHellbash (GNU Bash) 1.14.0
cpe:/a:gnu:bash:1.14.5GNU Bourne-Again SHellbash (GNU Bash) 1.14.5
cpe:/a:gnu:bash:1.14.2GNU Bourne-Again SHellbash (GNU Bash) 1.14.2
cpe:/a:gnu:bash:2.01.1GNU Bourne-Again SHellbash (GNU Bash) 2.01.1

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源

- 漏洞信息

Bash Path Embedded代码执行漏洞
中危 输入验证
1999-04-20 00:00:00 2006-08-23 00:00:00

- 公告与补丁

        Upgrade to Bash version 2.x. If you must continue to use Bash versions 1.x replace '\w' with '$PWD', and '\W' with '${PWD##*/}'.

- 漏洞信息 (19095)

GNU GNU bash 1.14 Path Embedded Code Execution Vulnerability (EDBID:19095)
linux local
1999-04-20 Verified
0 shadow
N/A [点击下载]

A vulnerability in bash may allow inadvertently running commands embedded in the path to the currently working directory.

If an unsuspecting user enters a directory created by some malicious user with embedded commands, and their prompt (PS1) contains '\w' or '\W', and the prompt is displayed the commands will be executed. The vulnerability is in the parsing of the '\w' and '\W' escape codes.

As the prompt must be displayed unattended shell scripts are not vulnerable.

mkdir "\`echo -e \"echo + +> ~\57.rhosts\" > x; source x; rm -f \x\` "		

- 漏洞信息

Multiple Shell PS1 Variable Arbitrary Command Execution
Local Access Required Input Manipulation
Loss of Integrity Upgrade
Exploit Public

- 漏洞描述

Bash shell contains a flaw that may allow a malicious user to run arbitrary commands embedded in the path to the current working directory. The issue is triggered when (PS1) contains '\w' or '\W', and the prompt is displayed the commands will be executed. It is possible that the flaw may allow malicious command execution resulting in a loss of integrity.

- 时间线

1999-04-20 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.x or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround(s): replace '\w' with '$PWD', and '\W' with '${PWD##*/}'.

- 相关参考

- 漏洞作者