CVE-2011-0468

Vulnerability

The aaa_base package in SUSE openSUSE 11.3 (before version 11.3-8.9.1) and openSUSE 11.4 (before version 11.4-54.62.1) contains a privilege escalation flaw due to improper handling of shell metacharacters during tab expansion in shell completions. When a user uses tab completion in a directory containing a file with specially crafted characters (such as ; or backticks), the shell expansion executes the embedded commands. No special configuration is required beyond the presence of a malicious filename [1].

Exploitation

An attacker with local access to the system can place a file with shell metacharacters in a directory where an unsuspecting user (or the attacker themselves) will perform tab expansion. When the victim types the beginning of the filename and presses Tab, the shell interprets the metacharacters, executing arbitrary commands. The attacker does not need authentication as a different user if they can induce the root user or another privileged user to perform tab expansion. The file can be created by any local user, making the attack vector purely local [1].

Impact

Successful exploitation allows the attacker to execute arbitrary shell commands with the privileges of the user performing tab expansion. If the target is a privileged user (e.g., root), the attacker gains complete control over the system, including full confidentiality, integrity, and availability impact (CVSS v2 6.9). The vulnerability is rated as moderate severity by SUSE [1].

Mitigation

The fix is included in aaa_base versions 11.3-8.9.1 and 11.4-54.62.1. SUSE released updates via SUSE-SR:2011:005 and openSUSE-SU-2011:0207-1 on April 1, 2011. Users should update to the corrected package immediately. No workarounds are documented; removal of shell metacharacter handling would break legitimate completion. The issue is resolved and not listed on the CISA KEV as of the disclosure date [1].