On Thu, Sep 25, 2014 at 05:15:13PM -0700, Charles Mills wrote: > Thanks. I'm reading > http://en.wikipedia.org/wiki/Shellshock_(software_bug) and I sort of > get it. > > I guess the worry is that the effects are so unknown.
There is a very nice description by Michal Zalewski, here: http://lcamtuf.blogspot.co.uk/2014/09/quick-notes-about-bash-bug-its-impact.html Please note, that there is a way to list functions in one's bash process, by using "declare -F". => (627 1): declare -F declare -f fingerics declare -f insertblade declare -f prjstart declare -f setcvs declare -f subshell "declare -F" dumped me their source code definitions on the terminal. Bash manual specifies "Restricted bash mode", invoked with "bash -r" or "rbash" command. Among other things, it disallows "importing function definitions from the shell environment at startup", which, if I understand everything sufficiently, should be enough to repel either this one bug or some of its cousins, too. Morale? Well, know your programs, for Bit's sake. I wonder why MZ, who should know about it, didn't mention it. Or I didn't spot it. > IF there is a situation where a user can set an environment variable > to some arbitrary value and IF that variable gets passed to a child > process, the child process will end up executing the user's > malicious command appended to the environment variable. If a _remote_ user can do this, you have a problem. If a local user (includes logged in from remote) does this, which should be legitimate but you have a problem with it, then again you have a problem. There is nothing inherently bad in just setting env var by remote user, because I understand this is how everything in the web server works, and some other places too. The problem is, if he knows you will call bash with some script and this script executes command X, he may trick your server to redefine this X into something of his choice. > What are all the situations where that might happen? I guess no one > knows, and that is the problem. How many natural numbers are there? I think the answer is good approximate for your question. > >Sally has a basic everyday Mac running unpatched OS X. It is > >connected to the Internet for Web browsing and e-mail, but she does > >not operate a Web server. Let's for argument's sake assume no > >firewall. Is Sally vulnerable to this? > > > >I am guessing that if she is vulnerable it is because someone can > >telnet to her machine, If someone can telnet, she is coocked, IMHO. Also, if she uses DHCP client which executes shell scripts with bash. If she could trick it to executing something else, maybe pdksh, perhaps she would have been safe(r). Take my opinions with usual spoon of salt. I have no idea if I know anything, maybe my pills ran out long ago and they allow me to post as occupational therapy. -- Regards, Tomasz Rola -- ** A C programmer asked whether computer had Buddha's nature. ** ** As the answer, master did "rm -rif" on the programmer's home ** ** directory. And then the C programmer became enlightened... ** ** ** ** Tomasz Rola mailto:tomasz_r...@bigfoot.com ** ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN