oss-sec mailing list archives
Re: Re: Healing the bash fork
From: "Todd C. Miller" <Todd.Miller () courtesan com>
Date: Mon, 29 Sep 2014 12:46:28 -0600
On Mon, 29 Sep 2014 09:59:47 -0600, Eric Blake wrote:
'at' is already broken, independently of bash. For example: https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00300.html echo pwd | env "/tmp/exploit=me" at tomorrow produces a shell script with these lines: #!/bin/sh ... /tmp/exploit=me; export /tmp/exploit So even on Debian, where /bin/sh is dash, this script attempts to execute the file named /tmp/exploit=me, possibly under the privileges of 'at' rather than as the user that created the file. No bash needed.
At the very least, at should use the "export foo=bar" form which will allow it to fail closed in the presence of environment variables that are not valid shell identifiers. I've just committed such a change to OpenBSD's at(1) which shares a common lineage. However, the atrun file format should really be changed to be more robust and not simply be fed to /bin/sh. - todd
Current thread:
- Re: Healing the bash fork, (continued)
- Re: Healing the bash fork John Haxby (Sep 29)
- Re: Healing the bash fork Kobrin, Eric (Sep 29)
- Re: Healing the bash fork Chet Ramey (Sep 29)
- Re: Healing the bash fork gremlin (Sep 29)
- Re: Healing the bash fork Florian Weimer (Sep 30)
- Re: Healing the bash fork Gennady Kupava (Sep 30)
- Re: Healing the bash fork gremlin (Sep 30)
- Re: Healing the bash fork Kobrin, Eric (Sep 29)
- Re: Healing the bash fork Michal Zalewski (Sep 29)
- Re: Healing the bash fork Kobrin, Eric (Sep 30)
- Re: Re: Healing the bash fork Todd C. Miller (Sep 29)
- atd (was: Re: [oss-security] Re: Healing the bash fork) Seth Arnold (Sep 29)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Christos Zoulas (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Tavis Ormandy (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
- Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 25)