oss-sec mailing list archives

Fwd: CVE-2014-6271: remote code execution through bash

From: Gennady Kupava <gennady.kupava () gmail com>
Date: Fri, 26 Sep 2014 18:06:45 +0100

The way how bash exports functions is really scary:

1. You can set both variable and export function with same name.
$ f () { a; }
$ export -f f
$ export f=3
$ echo $f
3
$ ksh
$ cat /proc/$$/environ|xargs -0 -n1|grep -w f
f=3
f=() {  a
$ echo $f
3

SUS says storing two environment varianles with same name is undefined
behavour:
http://pubs.opengroup.org/onlinepubs/7908799/xbd/envvar.html

2. Bash partially hides environment variable holding function:
$ f () { a; }
$ export -f f
$ echo $f
[ nothing ]

Both things above look like good grounds for hackers.

Gennady

Current thread:

Re: CVE-2014-6271: remote code execution through bash, (continued)
- - - Message not available
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Alexandre Dulaunoy (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Larry W. Cashdollar (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Dwayne Litzenberger (Sep 26)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 26)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 26)
  - Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 24)
  - Re: CVE-2014-6271: remote code execution through bash cve-assign (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Riot (Sep 26)
- Fwd: CVE-2014-6271: remote code execution through bash Gennady Kupava (Sep 26)