On Fri, 26 Sep 2014, Andrew McN <[email protected]> wrote:
> Secondly, don't assume that debian's default symlink fo /bin/sh to
> /bin/dash means you are not vulnerable to holes in bash. There's a lot
> of scripts and system calls around which explicitly invoke `bash` rather
> than `sh`. Also if a user uses /bin/bash as their shell, then this bug
> gives a way to circumvent command restrictions on a given ssh key, as
> configured in ~/.ssh/authorised_keys.
#!/bin/bash
echo ok
I created a script named zz with the above contents. I ran the following test
using bash 4.2+dfsg-0.1 from Debian/Wheezy (the unfixed version) and got an
unexpected SEGV.
# ORIG="() { :;} ; touch /tmp/ohno" ./zz
/bin/bash: touch: No such file or directory
Segmentation fault
I also got a SEGV from remote when the shell for root was /bin/sh (dash).
I verified that either bash as the root shell or as the shell for a script was
sufficient for an exploit.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
_______________________________________________
luv-main mailing list
[email protected]
http://lists.luv.asn.au/listinfo/luv-main
