[lug] Bash env security bug

Quentin Hartman qhartman at gmail.com
Thu Sep 25 11:19:23 MDT 2014 

I saw this yesterday as well, and my reading of made it sound like it would
be awful hard to remotely exploit unless you were running CGI's that used
shell scripts or doing some other similar thing. Am I missing something, or
is that just way more common than I believe?

QH

On Thu, Sep 25, 2014 at 10:46 AM, Bear Giles <bgiles at coyotesong.com> wrote:

> I came across this on the NSLU2 blog. I've verified it on my recent Ubuntu
> system. I'm currently updating and will follow up if the update fixes this.
>
> It's worth noting that careful developers will set up the environment
> variables as part of the exec() call. They should be safe as long as they
> don't blindly copy values from the program's environment. But a lot of
> developers aren't careful, or have to pass the environment to the subshell
> for various reasons.
>
> Bear
>
> > If you are using bash in any way on your NSLU2 or really any device
> running linux, you are           > vulnerable to attacks using a recently
> discovered security bug.
> >
> > $ export x='() { :;}; echo vulnerable'
>
> > $ bash -c "echo this is a test"
> > vulnerable
> > this is a test
> > $
>
> >
>
> > In a nutshell is if the user can set ANY string that it is assigned to
> an environmental variable the system is vulnerable. It is not uncommon for
> processes to set values passed in by the user as environmental variables
> before spawning an shell instance such as a shell script using bash.  On my
> own router I found I was vulnerable by several cron scripts I had written
> that pass values from DNS lookups that could be potentially hacked to add
> such a magic string by anyone with access to the DNS server. Here are some
> articles that describe the issue further:
>
> >
>
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
> > https://access.redhat.com/articles/1200223
> >
> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: irc.hackingsociety.org port=6667 channel=#hackingsociety
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20140925/943d92ca/attachment.html>

More information about the LUG mailing list