oss-sec mailing list archives

Re: Healing the bash fork

From: Michal Zalewski <lcamtuf () coredump cx>
Date: Tue, 30 Sep 2014 07:27:48 -0700

Florian's prefix/suffix patch is not going to protect against the setuid/setgid exploit that I reported to this list 
last week.

I discuss the setuid/setgid vulnerability at the following site, including demonstrating how Florian's prefix/suffix 
patch provides no protection:

http://technicalprose.blogspot.co.uk/2014/09/shellshock-bug-third-vulnerability.html


You do realize that your setuid program is patently unsafe, right? Say:

$ echo -e '#!/bin/sh\necho pwn3d' >date;chmod 755 date;PATH=.:$PWD
./setuid_program
pwn3d

/mz

Current thread:

Re: Healing the bash fork Mark R Bannister (Sep 30)
- <Possible follow-ups>
- Re: Healing the bash fork Sven Kieske (Sep 30)
- Re: Healing the bash fork Mark R Bannister (Sep 30)
- Re: Healing the bash fork Sebastian Krahmer (Sep 30)
  - Re: Healing the bash fork Kobrin, Eric (Sep 30)
    - Re: Healing the bash fork Sebastian Krahmer (Sep 30)
    - Re: Healing the bash fork John Haxby (Sep 30)
    - Re: Healing the bash fork Ed Prevost (Sep 30)
    - Re: Healing the bash fork Rich Felker (Sep 30)
- Re: Healing the bash fork Michal Zalewski (Sep 30)
  - Re: Healing the bash fork Simon McVittie (Sep 30)
- Re: Healing the bash fork Mark R Bannister (Sep 30)
- Re: Healing the bash fork Tavis Ormandy (Sep 30)
  - Re: Healing the bash fork Ed Prevost (Sep 30)
    - Re: Healing the bash fork Zach Wikholm (Sep 30)
    - Re: Healing the bash fork David A. Wheeler (Sep 30)
    - Re: Healing the bash fork Michal Zalewski (Sep 30)
    - Re: Healing the bash fork Stuart D. Gathman (Sep 30)
  - Re: Healing the bash fork Martin Carpenter (Sep 30)