oss-sec mailing list archives

Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability)

From: "Mark R Bannister" <mark () proseconsulting co uk>
Date: Fri, 26 Sep 2014 13:41:45 +0100

Arguments that people shouldn't have setuid shell scripts don't stack up, because even if you write your setuid program 
in some other language, you might unwittingly exec something written in bash.
As /bin/sh is symlinked to /bin/bash in RHEL, the moment you call out to the system to do a piece of work for you, 
you're at risk of invoking bash and thereby being vulnerable to a root exploit.  For example:

$ env bzip2='() { echo vulnerable >&2; }' /usr/bin/bzdiff /tmp/file1.bz /tmp/file2.bz

$ env test='() { echo vulnerable >&2; }' /usr/bin/ldd /usr/bin/gcc

So this is not about whether or not someone has written a setuid shell script.  This has uncovered a potential new 
exploit for any setuid program.  Indeed the very first setuid program that I discovered this exploit with was a binary 
(compiled C program) that happened to exec ldd while it was running.

I don't think this issue can be swept under the carpet.

Current thread:

Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability), (continued)
- - - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Chet Ramey (Sep 29)
    - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Giles Coochey (Sep 29)
    - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Ed Prevost (Sep 29)
    - RE: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Sona Sarmadi (Sep 29)
    - Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Ramon de C Valle (Sep 29)
    - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Loganaden Velvindron (Sep 27)
    - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Chet Ramey (Sep 27)
    - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Christos Zoulas (Sep 27)
    - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Loganaden Velvindron (Sep 27)
  - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Guido Berhoerster (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Mark R Bannister (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Simon McVittie (Sep 26)
  - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Rich Felker (Sep 26)
    - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Kurt Seifried (Sep 26)
    - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Rich Felker (Sep 27)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Rich Felker (Sep 26)
  - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Kurt Seifried (Sep 26)
    - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Peter Bex (Sep 26)