oss-sec mailing list archives
Re: more bash parser bugs (CVE-2014-6277, CVE-2014-6278)
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Thu, 2 Oct 2014 08:04:24 -0700
According to shellshock test (https://shellshocker.net/shellshock_test.sh)
That script is a weird mixture of tests that implicitly pay no attention to Florian's patch, and therefore do not really demonstrate any security risk: CVE20147186=$((bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null || echo "vulnerable") | grep 'vulnerable' | wc -l) ...ones that explicitly try to circumvent it in a way that makes them uninteresting from the security perspective: CVE20146271=$(env 'x=() { :;}; echo vulnerable' 'BASH_FUNC_x()=() { :;}; echo vulnerable' bash -c "echo test" 2>&1 | grep 'vulnerable' | wc -l) ...and ones that will fail with Florian's patch: CVE20147169=$((cd /tmp; rm -f /tmp/echo; env X='() { (a)=>\' bash -c "echo echo nonvuln" 2>/dev/null; [[ "$(cat echo 2> /dev/null)" == "nonvuln" ]] && echo "vulnerable" 2> /dev/null) | grep 'vulnerable' | wc -l) There are also some weird / duplicat entries and general confusion about which CVE stands for what, e.g.: CVE2014=$(env X=' () { }; echo hello' bash -c 'date' | grep 'hello' | wc -l) echo -n "CVE-2014-//// (exploit 3 on http://shellshocker.net/): " Really, just install the patch. The reasons for this, and a good test case to check if you're covered, are discussed here: http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html If you want to learn a bit more about what these test cases are doing and why it matters, I have an earlier post here: http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html ...and last but not least, the details for the last two bugs are here: http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html /mz
Current thread:
- Re: more bash parser bugs (CVE-2014-6277, CVE-2014-6278), (continued)
- Re: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Chet Ramey (Oct 02)
- Re: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Chet Ramey (Oct 01)
- RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Sona Sarmadi (Oct 01)
- Re: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Solar Designer (Oct 02)
- Re: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Chet Ramey (Oct 02)
- RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Menkhus, Mark (Global Cyber Security SSRT) (Oct 02)
- RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Sona Sarmadi (Oct 02)
- RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Menkhus, Mark (Global Cyber Security SSRT) (Oct 02)
- Re: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Michal Zalewski (Oct 02)
- RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Sona Sarmadi (Oct 02)
- Re: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Michal Zalewski (Oct 02)
- RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Sona Sarmadi (Oct 03)
- RE: more bash parser bugs (CVE-2014-6277, CVE-2014-6278) Sona Sarmadi (Oct 03)