Patch :
HOSTNAME=${HOSTNAME//[^A-Za-z0-9-_]/_}
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1507025
Title:
Shell Command Injection with the hostname
Status in bash package in Ubuntu:
New
Bug description:
If the HOSTNAME of the pc contains a shell command ,
the command will run every time you start a terminal, tty or xterm.
The command will also executed every time when you type in some command.
If you for example change the directory , it will run again.
Exploit Demo :
1) edit "/etc/hosts" to this :
127.0.0.1 localhost
127.0.1.1 `ls>bug`
2) edit "/etc/hostname" to this :
`ls>bug`
3) reboot
4) start a terminal
5) Now a file with the name "bug" will in your home folder !
6) Change the directory to Downloads with "cd Downloads/"
7) Now a file with the name "bug" is in your Downloads !
8) Remove the file with "rm bug"
9) The file "bug" is still there !
Have a look on the screenshot i have attached.
Solution:
The hostname should be checked if there are shell commands inside !!
By the way :
The hostname is not always in the hands of the root.
Some people rent "vservers" and the hostname is in the hands of the isp.
ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: bash 4.3-14ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3
Uname: Linux 4.2.0-15-generic x86_64
ApportVersion: 2.19.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Oct 16 22:31:46 2015
InstallationDate: Installed on 2015-10-09 (6 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: bash
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
