On Fri, 26 Sep 2014 20:19:39 +0200, Tomasz Rola wrote: >On Thu, Sep 25, 2014 at 05:15:13PM -0700, Charles Mills wrote: >> Thanks. I'm reading >> http://en.wikipedia.org/wiki/Shellshock_(software_bug) and I sort of >> get it. >> >> I guess the worry is that the effects are so unknown. > >There is a very nice description by Michal Zalewski, here: > >http://lcamtuf.blogspot.co.uk/2014/09/quick-notes-about-bash-bug-its-impact.html > >Bash manual specifies "Restricted bash mode", invoked with "bash -r" >or "rbash" command. Among other things, it disallows "importing >function definitions from the shell environment at startup", which, if >I understand everything sufficiently, should be enough to repel either >this one bug or some of its cousins, too. > >Morale? Well, know your programs, for Bit's sake. > ... >> IF there is a situation where a user can set an environment variable >> to some arbitrary value and IF that variable gets passed to a child >> process, the child process will end up executing the user's >> malicious command appended to the environment variable. > >If a _remote_ user can do this, you have a problem. If a local user >(includes logged in from remote) does this, which should be legitimate >but you have a problem with it, then again you have a problem. > And, yet, it's part of the specification of CGI. But it allows the remote user to define USER_AGENT as a function rather than a variable. Harmful only if the target script then invokes USER_AGENT as a command.
>There is nothing inherently bad in just setting env var by remote >user, because I understand this is how everything in the web server >works, and some other places too. The problem is, if he knows you will >call bash with some script and this script executes command X, he may >trick your server to redefine this X into something of his choice. > This is Bobby Tables all over again: http://xkcd.com/327/ It relies on a bash extension which, however useful, violates POSIX by restricting the value space of environment variables. The Wikipedia example, slightly altered: user@HOST: user@HOST: x='() { echo F;}; echo vulnerable' bash -xc ': test; echo "x is $x"' bash:+ echo vulnerable vulnerable bash:0+ : test bash:0+ echo 'x is ' x is user@HOST: POSIXly should display: user@HOST: x='() { echo F;}; echo vulnerable' ksh -xc ': test; echo "x is $x"' ksh:1+ : test ksh:1+ echo 'x is () { echo F;}; echo vulnerable' x is () { echo F;}; echo vulnerable user@HOST: However useful imported functions are, they're needless. The effect could be achieved more safely, function-by-function, by such as: eval "x$x" # to import function x, etc. But, still, beware of Bobby Tables; it's mere hygiene when using eval. -- gil ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN