Re: Critical bash vulnerability CVE-2014-6271

[Paul Vixie <paul () redbarn org>]

> Tim <mailto:tim-security () sentinelchicken org>
> Thursday, September 25, 2014 5:55 PM
> ...
>
> So dhclient calls /bin/bash explicitly?  I didn't look that deeply
> into it, but my /bin/sh is dash and nothing breaks, so if it really
> does depend on bash, it would need to do that.

it's like this:

> vixie@linux1:~$ uname -srm
> Linux 3.2.0-4-amd64 x86_64
> vixie@linux1:~$ head -1 /sbin/dhclient-script
> #!/bin/bash 

i'm told that this is somewhat common, which probably means that not all
shells are good enough for this script. on debian, /bin/sh is "dash"
which may be an example of "not good enough to run this script".

on systems like red hat and mac osx where /bin/sh just is bash, it's the
same effect but dhclient-script begins #!/bin/sh instead.

here's a POC:

https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/

-- 
Paul Vixie

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/