oss-sec mailing list archives
Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability)
From: Hanno Böck <hanno () hboeck de>
Date: Fri, 26 Sep 2014 12:41:51 +0200
On Fri, 26 Sep 2014 09:54:40 +0100 "Mark R Bannister" <mark () proseconsulting co uk> wrote:
I can't see this being a problem for Apache custom headers (the variable name is turned to uppercase and prefixed by HTTP_), nor sudo commands if env_reset is on (the default), but this continues to be a major vulnerability for setuid/setgid scripts (S_ISUID or S_ISGID) where the environment is preserved.
scripts don't allow setuid. for a reason. It'd open a whole bunch of security issues. This could be an issue if you have a suid binary calling a script. There are even people writing howtos to do that to circumvent unix security measures. [1] I don't know (and haven't tested) if this preserves env, but the point is: suid binaries shouldn't do stupid things. If they do that's their fault. There should be extra many security conscious eyes on setuid bins (we recently saw a memleak in a setuid bin causing trouble elsewhere [2]). If you can pass any env var to a suid script and it executes something else you have a problem no matter what. LD_PRELOAD etc. [1] http://www.tuxation.com/setuid-on-shell-scripts.html [2] http://googleprojectzero.blogspot.de/2014/08/the-poisoned-nul-byte-2014-edition.html cu, -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
signature.asc
Description:
Current thread:
- Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Mark R Bannister (Sep 26)
- <Possible follow-ups>
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Hanno Böck (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Florian Weimer (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) John Haxby (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Bernhard Hermann (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Christos Zoulas (Sep 26)
- Re: Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Bryan Drewery (Sep 26)
- Re: Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Bryan Drewery (Sep 28)
- Re: Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Loganaden Velvindron (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Giles Coochey (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Michal Zalewski (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Michal Zalewski (Sep 29)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) John Haxby (Sep 26)