The devil they say is in details, even the simple Bash path variable can open some security problems on your box. Every Bash documentation out there warns us not leave '.' in the path (it matches current directory). They however don't seems to mention that leaving a dangling ':' (colon) at the beginning or the end of Bash $PATH does create the same security vulnerability.
# Standard Bash $PATH
$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
# Let's get evil, append a colon at the end
$ export PATH="$PATH:"
# Let's check the tainted Bash $PATH
$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:
# Create Trojan application (of sorts)
$ echo "echo foo"> app
$ chmod +x app
# Run the command and Viola!
$ app
foo
0 comments:
Post a Comment