oss-sec mailing list archives

Re: Re: Healing the bash fork

From: "Todd C. Miller" <Todd.Miller () courtesan com>
Date: Mon, 29 Sep 2014 12:46:28 -0600

On Mon, 29 Sep 2014 09:59:47 -0600, Eric Blake wrote:

'at' is already broken, independently of bash.  For example:

https://lists.gnu.org/archive/html/bug-bash/2014-09/msg00300.html

echo pwd | env "/tmp/exploit=me" at tomorrow

produces a shell script with these lines:

#!/bin/sh
...
/tmp/exploit=me; export /tmp/exploit

So even on Debian, where /bin/sh is dash, this script attempts to
execute the file named /tmp/exploit=me, possibly under the privileges
of 'at' rather than as the user that created the file.  No bash needed.


At the very least, at should use the "export foo=bar" form which
will allow it to fail closed in the presence of environment variables
that are not valid shell identifiers.  I've just committed such a
change to OpenBSD's at(1) which shares a common lineage.  However,
the atrun file format should really be changed to be more robust
and not simply be fed to /bin/sh.

 - todd

Current thread:

Re: Healing the bash fork, (continued)
- - - Re: Healing the bash fork John Haxby (Sep 29)
    - Re: Healing the bash fork Kobrin, Eric (Sep 29)
    - Re: Healing the bash fork Chet Ramey (Sep 29)
    - Re: Healing the bash fork gremlin (Sep 29)
    - Re: Healing the bash fork Florian Weimer (Sep 30)
    - Re: Healing the bash fork Gennady Kupava (Sep 30)
    - Re: Healing the bash fork gremlin (Sep 30)
    - Re: Healing the bash fork Kobrin, Eric (Sep 29)
    - Re: Healing the bash fork Michal Zalewski (Sep 29)
    - Re: Healing the bash fork Kobrin, Eric (Sep 30)
    - Re: Re: Healing the bash fork Todd C. Miller (Sep 29)
    - atd (was: Re: [oss-security] Re: Healing the bash fork) Seth Arnold (Sep 29)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 24)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Christos Zoulas (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Solar Designer (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Tavis Ormandy (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Chet Ramey (Sep 25)
    - Re: CVE-2014-6271: remote code execution through bash Michal Zalewski (Sep 25)

(Thread continues...)