oss-security - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability)

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Mon, 29 Sep 2014 10:33:20 -0400
From: Chet Ramey <chet.ramey@...e.edu>
To: Osmond Sun <osmond.sun@...il.com>, oss-security@...ts.openwall.com
CC: chet.ramey@...e.edu
Subject: Re: Re: CVE-2014-6271: remote code execution through
 bash (3rd vulnerability)

On 9/29/14, 9:01 AM, Osmond Sun wrote:
> I found the function parsing is still imperfect.
> e.g. $env x="() { :;}; `touch vulnerablefile`" bash -c "echo this is a test "

If that is the command you ran, this doesn't show any vulnerability.  The
double quotes surrounding the assignment to x in the argument to `env'
mean that command substitution is performed before env runs.  It's the
command substitution that creates the file, so the file exists before bash
is invoked.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@...e.edu    http://cnswww.cns.cwru.edu/~chet/

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.