lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 25 Sep 2014 13:54:31 -0700
From: Paul Vixie <paul@...barn.org>
To: Tim <tim-security@...tinelchicken.org>
Cc: fulldisclosure@...lists.org, Evan Teitelman <teitelmanevan@...il.com>
Subject: Re: [FD] Critical bash vulnerability CVE-2014-6271



> Tim <mailto:tim-security@...tinelchicken.org>
> Thursday, September 25, 2014 1:06 PM
>
>
> If you change the default shell from bash to a more sane one[1], like
> dash or ash, does this attack disappear?

no. the problem occurs when /bin/sh is bash, or when a network invokable
script begins with the line #!/bin/bash. it has nothing to do with the
user's shell. rather, it's the shell used by popen() and system() and of
course (execl, execlp, execle, execv, execvp, execvpe), or, it's the
explicitly called shell named at the top of the script itself.

> I would assume so, but
> sometimes foolish packages directly reference /bin/bash in the #!
> header. (I notice some dhclient shell script hooks don't make an
> explicit reference at all, while others reference /bin/sh.)

some scripts really do depend on bash's extensions. the dhclient hook is
particularly bad about that, since it uses the environment to pass
parameters that are set by the DHCP server (or a miscreant pretending to
be one).

-- 
Paul Vixie

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists