← Back to team overview

touch-packages team mailing list archive

[Bug 1507025] Re: Shell Command Injection with the hostname

 

german demo video
https://www.youtube.com/watch?v=qYuVzHsklS8

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to bash in Ubuntu.
https://bugs.launchpad.net/bugs/1507025

Title:
  Shell Command Injection with the hostname

Status in bash package in Ubuntu:
  New

Bug description:
  If the HOSTNAME of the pc contains a shell command , 
  the command will run every time you start a terminal, tty or xterm.

  The command will also executed every time when you type in some command.
  If you for example change the directory , it will run again.
   
  Exploit Demo :

  1) edit "/etc/hosts"  to this :

  127.0.0.1	localhost
  127.0.1.1      `ls>bug`

  2) edit "/etc/hostname" to this :

  `ls>bug`

  3) reboot

  4) start a terminal

  5) Now a file with the name "bug" will in your home folder !

  6) Change the directory to Downloads with "cd Downloads/"

  7) Now a file with the name "bug" is in your Downloads !

  8) Remove the file with  "rm bug"

  9) The file "bug" is still there !

  
  Have a look on the screenshot i have attached.

  Solution:
  The hostname should be checked if there are shell commands inside !!

  By the way :
  The hostname is not always in the hands of the root. 
  Some people rent "vservers" and the hostname is in the hands of the isp.

  ProblemType: Bug
  DistroRelease: Ubuntu 15.10
  Package: bash 4.3-14ubuntu1
  ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3
  Uname: Linux 4.2.0-15-generic x86_64
  ApportVersion: 2.19.1-0ubuntu2
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Fri Oct 16 22:31:46 2015
  InstallationDate: Installed on 2015-10-09 (6 days ago)
  InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
  SourcePackage: bash
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/bash/+bug/1507025/+subscriptions