Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 01 Oct 2014 22:06:39 -0400
From: Chet Ramey <chet.ramey@...e.edu>
To: "Kobrin, Eric" <ekobrin@...mai.com>
CC: Solar Designer <solar@...nwall.com>, oss-security@...ts.openwall.com,
        Chet Ramey <chet.ramey@...e.edu>
Subject: Re: More parser odities

On 10/1/14, 8:36 PM, Solar Designer wrote:
> Eric - you probably want to CC: Chet on your new findings.  Added the CC.
> 
> On Wed, Oct 01, 2014 at 07:16:40PM -0500, Kobrin, Eric wrote:
>> This oddity also allows bypass of the absolute_program protection added in the recent patches:
>>
>>
>> $ env $'BASH_FUNC_#badname%%'=$'() { :; }\n/bin/ls () { echo wrongfunc; }  ' ./bash -c '/bin/ls'
>> fbash: error importing function definition for `#badname'
>> wrongfunc
>>
>>
>>
>>
>> I really do think it is time to take a different approach for a long-term solution.
>>
>>
>> -- Eric Kobrin
>>
>>
>> On Oct 1, 2014, at 5:35 PM, "Kobrin, Eric" <ekobrin@...mai.com> wrote:
>>
>>
>>> Using bash from the GNU git, subsequently patched to level 28:
>>>
>>> $ env $'BASH_FUNC_#badname%%'=$'() { :; }\nfoo () { echo wrongfunc; } ' ./bash -c 'foo'
>>> ./bash: error importing function definition for `#badname'
>>> wrongfunc

Two things.

First, there is already a fix for this in the patch pipeline.

Second, given the existence of the bash-4.3.27 and vendor and previous
version equivalents, this is not a security problem.  What we are coming
up with is more and more esoteric ways to execute commands bash allows
you to execute directly.  There isn't a local privilege escalation issue,
and the game is already over if you allow someone to specify arbitrary
environment variable names and values.

Please keep the reports coming.  They're valuable in making bash better;
they're just not security problems or vulnerabilities.

Chet
-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
		 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@...e.edu    http://cnswww.cns.cwru.edu/~chet/

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.