On Fri, 26 Sep 2014 20:19:39 +0200, Tomasz Rola wrote:
>On Thu, Sep 25, 2014 at 05:15:13PM -0700, Charles Mills wrote:
>> Thanks. I'm reading
>> http://en.wikipedia.org/wiki/Shellshock_(software_bug) and I sort of
>> get it.
>>
>> I guess the worry is that the effects are so unknown.
>
>There is a very nice description by Michal Zalewski, here:
>
>http://lcamtuf.blogspot.co.uk/2014/09/quick-notes-about-bash-bug-its-impact.html
>
>Bash manual specifies "Restricted bash mode", invoked with "bash -r"
>or "rbash" command. Among other things, it disallows "importing
>function definitions from the shell environment at startup", which, if
>I understand everything sufficiently, should be enough to repel either
>this one bug or some of its cousins, too.
>
>Morale? Well, know your programs, for Bit's sake.
> ...
>> IF there is a situation where a user can set an environment variable
>> to some arbitrary value and IF that variable gets passed to a child
>> process, the child process will end up executing the user's
>> malicious command appended to the environment variable.
>
>If a _remote_ user can do this, you have a problem. If a local user
>(includes logged in from remote) does this, which should be legitimate
>but you have a problem with it, then again you have a problem.
>
And, yet, it's part of the specification of CGI. But it allows the remote
user to define USER_AGENT as a function rather than a variable.
Harmful only if the target script then invokes USER_AGENT as a command.
>There is nothing inherently bad in just setting env var by remote
>user, because I understand this is how everything in the web server
>works, and some other places too. The problem is, if he knows you will
>call bash with some script and this script executes command X, he may
>trick your server to redefine this X into something of his choice.
>
This is Bobby Tables all over again:
http://xkcd.com/327/
It relies on a bash extension which, however useful, violates POSIX by
restricting the value space of environment variables. The Wikipedia
example, slightly altered:
user@HOST:
user@HOST: x='() { echo F;}; echo vulnerable' bash -xc ': test; echo "x is $x"'
bash:+ echo vulnerable
vulnerable
bash:0+ : test
bash:0+ echo 'x is '
x is
user@HOST:
POSIXly should display:
user@HOST: x='() { echo F;}; echo vulnerable' ksh -xc ': test; echo "x is $x"'
ksh:1+ : test
ksh:1+ echo 'x is () { echo F;}; echo vulnerable'
x is () { echo F;}; echo vulnerable
user@HOST:
However useful imported functions are, they're needless. The effect
could be achieved more safely, function-by-function, by such as:
eval "x$x" # to import function x, etc.
But, still, beware of Bobby Tables; it's mere hygiene when using eval.
-- gil
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
