[lug] Bash env security bug

Quentin Hartman qhartman at gmail.com
Fri Sep 26 08:31:16 MDT 2014


This is an interesting / scary PoC:

https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/

On Thu, Sep 25, 2014 at 11:19 AM, Quentin Hartman <qhartman at gmail.com>
wrote:

> I saw this yesterday as well, and my reading of made it sound like it
> would be awful hard to remotely exploit unless you were running CGI's that
> used shell scripts or doing some other similar thing. Am I missing
> something, or is that just way more common than I believe?
>
> QH
>
> On Thu, Sep 25, 2014 at 10:46 AM, Bear Giles <bgiles at coyotesong.com>
> wrote:
>
>> I came across this on the NSLU2 blog. I've verified it on my recent
>> Ubuntu system. I'm currently updating and will follow up if the update
>> fixes this.
>>
>> It's worth noting that careful developers will set up the environment
>> variables as part of the exec() call. They should be safe as long as they
>> don't blindly copy values from the program's environment. But a lot of
>> developers aren't careful, or have to pass the environment to the subshell
>> for various reasons.
>>
>> Bear
>>
>> > If you are using bash in any way on your NSLU2 or really any device
>> running linux, you are           > vulnerable to attacks using a recently
>> discovered security bug.
>> >
>> > $ export x='() { :;}; echo vulnerable'
>>
>> > $ bash -c "echo this is a test"
>> > vulnerable
>> > this is a test
>> > $
>>
>> >
>>
>> > In a nutshell is if the user can set ANY string that it is assigned to
>> an environmental variable the system is vulnerable. It is not uncommon for
>> processes to set values passed in by the user as environmental variables
>> before spawning an shell instance such as a shell script using bash.  On my
>> own router I found I was vulnerable by several cron scripts I had written
>> that pass values from DNS lookups that could be potentially hacked to add
>> such a magic string by anyone with access to the DNS server. Here are some
>> articles that describe the issue further:
>>
>> >
>>
>> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
>> > https://access.redhat.com/articles/1200223
>> >
>> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>>
>>
>> _______________________________________________
>> Web Page:  http://lug.boulder.co.us
>> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20140926/c85b3214/attachment.html>


More information about the LUG mailing list