Re: CVE-2014-6271: remote code execution through bash

["Alexander E. Patrakov" <patrakov () gmail com>]

24.09.2014 21:16, Solar Designer wrote:
> $ ssh -o 'rsaauthentication yes' 0 '() { ignored; }; /usr/bin/id'
> uid=500(sandbox) gid=500(sandbox) groups=500(sandbox)
> Received disconnect from 127.0.0.1: Command terminated on signal 11.
>
> This is with command="set" in .ssh/authorized_keys for the key being
> used.  (Without the "; /usr/bin/id" portion, the command prints the
> environment variables, including SSH_ORIGINAL_COMMAND being the function
> with just "ignored" in its body.)  As we can see, the command runs, and
> moreover in this case bash happened to segfault after having run "id".
>
> I see no good workaround.  Starting the forced command with "unset
> SSH_ORIGINAL_COMMAND &&" does not help - we'd need to unset the variable
> before starting bash, not from bash.

Won't installing dash and setting the shell of users who have forced 
commands to dash mitigate this somehow?

--
Alexander E. Patrakov