Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 24 Sep 2014 22:01:50 +0600
From: "Alexander E. Patrakov" <patrakov@...il.com>
To: oss-security@...ts.openwall.com
CC: chet.ramey@...e.edu
Subject: Re: CVE-2014-6271: remote code execution through bash

24.09.2014 21:16, Solar Designer wrote:
> $ ssh -o 'rsaauthentication yes' 0 '() { ignored; }; /usr/bin/id'
> uid=500(sandbox) gid=500(sandbox) groups=500(sandbox)
> Received disconnect from 127.0.0.1: Command terminated on signal 11.
>
> This is with command="set" in .ssh/authorized_keys for the key being
> used.  (Without the "; /usr/bin/id" portion, the command prints the
> environment variables, including SSH_ORIGINAL_COMMAND being the function
> with just "ignored" in its body.)  As we can see, the command runs, and
> moreover in this case bash happened to segfault after having run "id".
>
> I see no good workaround.  Starting the forced command with "unset
> SSH_ORIGINAL_COMMAND &&" does not help - we'd need to unset the variable
> before starting bash, not from bash.

Won't installing dash and setting the shell of users who have forced 
commands to dash mitigate this somehow?

-- 
Alexander E. Patrakov

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.