oss-sec mailing list archives

Re: Healing the bash fork

From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Mon, 29 Sep 2014 10:49:22 -0700

On 29 September 2014 10:39, Kobrin, Eric <ekobrin () akamai com> wrote:

On Sep 29, 2014, at 11:59 AM, Eric Blake <eblake () redhat com> wrote:

But I see no reason to move away from %% suffixing.


The suffix fixes the obvious CGI hole, but it leaves exposed programs in which the adversary gets to choose the 
variable name as well.

env $'BASH_FUNC_foo%%=() { echo 123\n }' bash -c "foo"

I think that a more robust solution, such using a separate store for functions, is needed if function import is to 
survive as a feature.

-- Eric Kobrin


If an adversary can choose the variable name, it's game over by
definition. He can choose LD_PRELOAD, SHELLOPTS='xtrace' PS4='$(foo)',
LD_DEBUG_OUTPUT, PYTHONINSPECT, etc, etc.

This general solution is robust, now we're just hammering out the details.

-- 
-------------------------------------
taviso () cmpxchg8b com | pgp encrypted mail preferred
-------------------------------------------------------

Current thread:

Re: CVE-2014-6271: remote code execution through bash, (continued)
- - - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 29)
    - Re: CVE-2014-6271: remote code execution through bash Hanno Böck (Sep 27)
    - Re: CVE-2014-6271: remote code execution through bash Eric Blake (Sep 28)
    - Healing the bash fork (was: Re: [oss-security] CVE-2014-6271: remote code execution through bash) Florian Weimer (Sep 29)
    - Re: Healing the bash fork Eric Blake (Sep 29)
    - Re: Healing the bash fork Kobrin, Eric (Sep 29)
    - Re: Healing the bash fork Tavis Ormandy (Sep 29)
    - Re: Healing the bash fork David A. Wheeler (Sep 29)
    - Re: Healing the bash fork John Haxby (Sep 29)
    - Re: Healing the bash fork Kobrin, Eric (Sep 29)
    - Re: Healing the bash fork Chet Ramey (Sep 29)
    - Re: Healing the bash fork gremlin (Sep 29)
    - Re: Healing the bash fork Florian Weimer (Sep 30)
    - Re: Healing the bash fork Gennady Kupava (Sep 30)
    - Re: Healing the bash fork gremlin (Sep 30)
    - Re: Healing the bash fork Kobrin, Eric (Sep 29)
    - Re: Healing the bash fork Michal Zalewski (Sep 29)

(Thread continues...)