oss-sec mailing list archives

Re: CVE-2014-6271: remote code execution through bash

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 25 Sep 2014 08:21:58 -0700

There seems to be a wider issue even when we have well-formed functions
coming in, for example,

    env rm='() { echo will not; }' bash -c 'rm core'


Sure. This is less of an immediate concern because in the scenarios we
are most worried about, the attacker usually doesn't have the ability
to set arbitrary variables (and if he could, it would be a problem
greater than anything that bash could deal with - LD_PRELOAD and all).
It is, however, customary to be able to set the *values* of variables
whose names are constrained in some way - most notably, HTTP_*.

FWIW, I tried to sum up the exposure and our thoughts on the patches here:
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html

/mz

Current thread:

Re: CVE-2014-6271: remote code execution through bash, (continued)
- Re: CVE-2014-6271: remote code execution through bash Hanno Böck (Sep 24)
  - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Anthony Liguori (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Huzaifa Sidhpurwala (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Huzaifa Sidhpurwala (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash John Haxby (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Simon McVittie (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash John Haxby (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Simon McVittie (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Simon McVittie (Sep 26)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
    - Message not available
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Alexandre Dulaunoy (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Larry W. Cashdollar (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)

(Thread continues...)