Re: [Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

Thu, 25 Sep 2014 18:01:35 -0700 

On 26Sep2014 09:40, Steven D'Aprano <st...@pearwood.info> wrote:

On Fri, Sep 26, 2014 at 12:17:46AM +0200, Antoine Pitrou wrote:

On Thu, 25 Sep 2014 13:00:16 -0700
Bob Hanson <d2mp...@newsguy.com> wrote:
> Critical bash vulnerability CVE-2014-6271 may affect Python on
> *n*x and OSX:

[...]

See also:
http://adminlogs.info/2014/09/25/again-bash-cve-2014-7169/


Fortunately, Python's subprocess has its `shell` argument default to
False. However, `os.system` invokes the shell implicitly and is
therefore a possible attack vector.


Perhaps I'm missing something, but aren't there easier ways to attack
os.system than the bash env vulnerability? If I'm accepting and running
arbitrary strings from an untrusted user, there's no need for them to go
to the trouble of feeding me:

"env x='() { :;}; echo gotcha'  bash -c 'echo do something useful'"

when they can just feed me:

"echo gotcha"

In other words, os.system is *already* an attack vector, unless you only
use it with trusted strings. I don't think the bash env vulnerability
adds to the attack surface.

Have I missed something?
Yes. Although it is possible to craft safe things for os.system, the issue is delivery of the attacks: plenty of totally standard things expose the shell to outside-supplied strings. And on most of those things, "the shell" is bash.
The issue with the bash-imports-functions-badly issue is that shell functions are exported through the environment. Other things use the environment to pass info.
The loud examples on the net are CGI scripts (query parameters passed through the environment, along with other things) and hostile DHCP servers (DHCP settings passed by the _client_ dhcpd to action scripts, as root).
Both of these let someone outside your system deliver bash-exploit strings to bash scripts.
Your cable/adsl modem? Probably an embedded Linux box, possibly using bash, and certainly a dhcp client of the ISP. Better still, for many people that same comprimisable modem is the DHCP _server_ for their home LAN... 

Cheers,
Cameron Simpson <c...@zip.com.au>

Rebel without a clue, Born to be mild.
        - kevin.lo...@usask.ca, DoD #0975
_______________________________________________
Python-Dev mailing list
Python-Dev@python.org
https://mail.python.org/mailman/listinfo/python-dev
Unsubscribe: 
https://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com

Reply via email to