On Sep 30, 2014, at 1:05 AM, Roy Marples <r...@marples.name> wrote:
>> Of course, the shell isn't supposed to interpret metacharacters in the
>> value of shell variables unless explicitly told to: so sanitising
>> shouldn't be required (though I concede it would mitigate a lot of
>> common shell-script errors.)
> Shells shouldn't allow function definitions in variables, but here we are :)

Fortunately the new patch just said "f-this, we can't secure this 'feature', so 
its removed...", because even if the parser works completely you could still 
redefine some functions in some contexts with bad results.  This is why the 
final command line test is now:

env foo='() { echo "not patched" ; }' /bin/bash -c foo

Although, to be honest, although the DHCP vector is trivial to exploit [1], if 
the attacker can give you a bogus DHCP reply you've lost already.

At this point, the attacker already has a full man-in-the-middle of all network 
traffic, and can easily launch invisible attacks on clients (e.g. cause a 
hidden iframe to appear to their metasploit server instance, insert cached 
scripts into the browser context, etc...).

[1] the DHCP server on my test network has: option domain-name "() { ignored;}; 
/bin/touch pwnage ; (/bin/sleep 10; /bin/ping -c 10 & "; in its 

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

Dnsmasq-discuss mailing list

Reply via email to