oss-sec mailing list archives
Re: CVE-2014-6271: remote code execution through bash
From: "Alexander E. Patrakov" <patrakov () gmail com>
Date: Wed, 24 Sep 2014 22:01:50 +0600
24.09.2014 21:16, Solar Designer wrote:
$ ssh -o 'rsaauthentication yes' 0 '() { ignored; }; /usr/bin/id' uid=500(sandbox) gid=500(sandbox) groups=500(sandbox) Received disconnect from 127.0.0.1: Command terminated on signal 11. This is with command="set" in .ssh/authorized_keys for the key being used. (Without the "; /usr/bin/id" portion, the command prints the environment variables, including SSH_ORIGINAL_COMMAND being the function with just "ignored" in its body.) As we can see, the command runs, and moreover in this case bash happened to segfault after having run "id". I see no good workaround. Starting the forced command with "unset SSH_ORIGINAL_COMMAND &&" does not help - we'd need to unset the variable before starting bash, not from bash.
Won't installing dash and setting the shell of users who have forced commands to dash mitigate this somehow?
-- Alexander E. Patrakov
Current thread:
- CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Henri Salo (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Alexander E. Patrakov (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash gremlin (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Tim (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Rich Felker (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Florian Weimer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash mancha (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Alan J. Wylie (Sep 26)