oss-sec mailing list archives
Re: Thoughts on Shellshock and beyond
From: John Haxby <john.haxby () oracle com>
Date: Tue, 07 Oct 2014 17:20:34 +0100
On 07/10/14 16:45, Michal Zalewski wrote:
What class of bug is Shellshock? "Weird feature invented inpre-Internet era"? How do you conquer this class of bugs?There are two bugs: Calling “eval” on untrusted input (a relatively common issue), and the fact that this particular code path should never have been exposed to the network at all. The second part is not strictly a bash bug, even if we addressed that with a change in bash. If this issue had been discovered when the first CGI-enabled web server was implemented, maybe it would not have been called a bash bug, but a bug in how CGI used environment variables.Possibly, but it probably wouldn't have stayed that way for long. Even though the bug was introduced long before the arrival of Apache, I would guess that it had affected Sendmail from day one. In practice, it's usually counterproductive to try to precisely pin the blame; bash is the place where we can fix it more easily and produce more intuitive behavior with one less things for other developers to worry about it.
In the particular case of shellshock, "everyone knows" that calling eval on untrusted input is a really bad idea. It's bad in anything that has an eval mechanism. The problem, still, with bash is that happens without you having any control over it. For example, env 'BASH_FUNC_ls()=() { echo hi there; }' bash -c ls Obviously that's artificial and the Florian's fix ensures that it's difficult to trigger remotely. This doesn't mean that the eval over which you have no control is a good idea. In this particular case you could argue that any application that could possibly exec a shell or possibly cross a trust boundary should clean its environment: we even have a nice easy to recognise pattern (anything that begins BASH_FUNC_ which also happens to strip out the other two implementations of the wrapper). However, I deliberately included "possibly" twice to encompass practically all non-trivial applications. If you're going to try to pin a class of bug on shellshock then it's something like "uncontrollable eval on untrusted input" and bash is still doing this. it's not been fixed (excepting NetBSD and FreeBSD). jch
Current thread:
- Re: Thoughts on Shellshock and beyond, (continued)
- Re: Thoughts on Shellshock and beyond Hanno Böck (Oct 07)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 07)
- Re: Thoughts on Shellshock and beyond Loganaden Velvindron (Oct 07)
- Re: Thoughts on Shellshock and beyond Sven Kieske (Oct 07)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 07)
- Re: Thoughts on Shellshock and beyond Tim (Oct 07)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 07)
- Re: Thoughts on Shellshock and beyond Pavel Labushev (Oct 07)
- Re: Thoughts on Shellshock and beyond Florian Weimer (Oct 07)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 07)
- Re: Thoughts on Shellshock and beyond Florian Weimer (Oct 07)
- Re: Thoughts on Shellshock and beyond John Haxby (Oct 07)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 07)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 07)
- Re: Thoughts on Shellshock and beyond Stephane Chazelas (Oct 08)
- Re: Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 08)
- Re: Thoughts on Shellshock and beyond Tim (Oct 08)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 08)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 08)
- Re: Thoughts on Shellshock and beyond Tracy Reed (Oct 08)
- Re: Thoughts on Shellshock and beyond Tim (Oct 08)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 08)
- Re: Thoughts on Shellshock and beyond Hanno Böck (Oct 07)