Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 26 Sep 2014 15:11:59 +0200
From: Guido Berhoerster <gber@...nsuse.org>
To: oss-security@...ts.openwall.com
Subject: Re: Re: CVE-2014-6271: remote code execution through
 bash (3rd vulnerability)

* Florian Weimer <fweimer@...hat.com> [2014-09-26 13:33]:
> On 09/26/2014 10:54 AM, Mark R Bannister wrote:
> I agree this looks scary at first glance, but we discussed this
> previously, see for example:
> 
>   <http://www.openwall.com/lists/oss-security/2014/09/24/20>
> 
> Shell scripts derive part of their power and flexibility from their
> openness to the execution environment.  You can tweak PATH, BASH_ENV
> (or ENV for other Bourne-like shells), IFS, HOME, and many other
> variables to change behavior.  There are even more knobs to affect
> the behavior of the external commands almost all shell scripts call
> when they run.
> 
> This makes them not suitable at all for writing SUID programs or
> other code that runs in untrusted environments.  This is
> well-documented, and given the amount of shell scripts out there
> which rely on these aspects of the UNIX shell design, it's not
> something we can change, particularly not as part of a security
> update which system administrators are more or less forced to
> install.
> 
> In your specific example, you can achieve the same effect by setting
> PATH to a directory with a customer ls program, or by setting
> BASH_ENV to a file which contains a definition of a function called
> ls.

I strong disagree that, there is a big difference in that a
script can (and should) be able to obtain a sane environment by
resetting stuff like PATH, BASH_ENV, IFS.  The issue is also not
about flexibility to override commands with functions or the
ability to export them, rather it is the apparently undocumented
implementation mixing data and code by storing the functions in
the environment which is total and utter crap even by the
standards of 20 years ago and it is just a matter of time until
the next parser bug comes up.

> Overriding external programs with shell functions in such a way has
> to be supported.  Otherwise, scripts which define shell functions
> would break if the system administrator installs new software which
> happens to include a program of the same name of the shell function.

That is orthogonal to the implementation of exported functions.
-- 
Guido Berhoerster

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.