Bugtraq mailing list archives

Re: BUG in /bin/bash

From: arthur () support psi com (Arthur Hyun)
Date: Thu, 22 Aug 1996 23:00:09 -0400


On Thu, 22 Aug 1996 15:35:18 -0400,
Red Barchetta <paradox () pegasus rutgers edu> wrote:
 +-
 |Their test string "bash -c 'ls\377who'" gave this output on my Solaris 2.5
 |system:
 |
 |        bash: ls377who: command not found
 |
 |Can anyone verify that this is really a problem?
 +-

try something like this:  bash -c `/bin/echo 'ls\0377who'`

\3 == 3, so 'ls\377who' is 8 chars.  but "/bin/echo 'ls\0377who'"
turns into 6 chars because the echo interprets \0377 as an
octal escape for a single char.


if you run it under bash, then you need some more quotes to get
the full effect because the top level bash steals the \377:

    bash -c "`/bin/echo 'ls\0377who'`"

                                                -arthur

Current thread:

resolv+ and finger..., (continued)
- - - resolv+ and finger... C. Hodges (Aug 23)
    - Vulnerability in the Xt library Aleph One (Aug 24)
    - Re: Vulnerability in the Xt library Stefan `Sec` Zehl (Aug 25)
    - Re: Vulnerability in the Xt library Mike Neuman (Aug 27)
    - Re: Vulnerability in the Xt library Casper Dik (Aug 28)
    - Re: Vulnerability in the Xt library Mike Neuman (Aug 28)
    - RFD: libsuid VaX#n8 (Aug 24)
    - More on UnixWare 2.x vulnerability Todd Vierling (Aug 24)
    - Re: (WORKAROUND) More on UnixWare 2.x vulnerability Hannu Laurila (Aug 24)
    - polyglots (multi-language programs) John Nemeth (Aug 24)
  - Re: BUG in /bin/bash Arthur Hyun (Aug 22)
  - Re: BUG in /bin/bash Brian Clapper (Aug 23)