oss-sec mailing list archives

Re: CVE-2014-6271: remote code execution through bash

From: Dwayne Litzenberger <dlitz () dlitz net>
Date: Fri, 26 Sep 2014 02:35:20 -0700

For folks like me who are running production systems that don't needexported functions at all, I've hacked together a little wrapper thatjust refuses to run bash if any environment variable's value starts witha left-paren:


   https://github.com/dlitz/bash-shellshock

TL;DR:

   $ ls -l /bin/bash*
   lrwxrwxrwx 1 root root      20 Sep 26 01:12 /bin/bash -> /bin/bash-shellshock
   -rwxr-xr-x 1 root root 1029624 Sep 24 11:51 /bin/bash.real
   -rwxr-xr-x 1 root root   10368 Sep 26 00:32 /bin/bash-shellshock

   $ XX=1 XXX='(hello' /bin/bash -c env
   bash-shellshock: Refusing to start due to possibly unsafe environment variable (see syslog)

It also supports log-only and variable-stripping modes, configurablesystem-wide.

I've made binary .deb packages for Debian and Ubuntu, for anyone foolishenough to trust me. (If you've ever run "sudo pip install pycrypto",then you're already that foolish. ;)


Tags and SHA256SUMS.asc files are signed using my OpenPGP key.

--
Dwayne C. Litzenberger <dlitz () dlitz net>
OpenPGP: 19E1 1FE8 B3CF F273 ED17  4A24 928C EC13 39C2 5CF7

Attachment: _bin
Description:

Current thread:

Re: CVE-2014-6271: remote code execution through bash, (continued)
- - - Re: CVE-2014-6271: remote code execution through bash Simon McVittie (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash John Haxby (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Simon McVittie (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Simon McVittie (Sep 26)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
    - Message not available
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Alexandre Dulaunoy (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Larry W. Cashdollar (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Dwayne Litzenberger (Sep 26)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 26)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 26)
  - Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 24)
  - Re: CVE-2014-6271: remote code execution through bash cve-assign (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Riot (Sep 26)
- Fwd: CVE-2014-6271: remote code execution through bash Gennady Kupava (Sep 26)