[GRLUG] CVE-2014-6271

Adam Tauno Williams awilliam at whitemice.org
Thu Sep 25 10:44:35 EDT 2014

On Thu, 2014-09-25 at 10:37 -0400, Mark Farver wrote:
> If an attacker has remote control of environment variables think of
> the damage that can be done with LD_LIBRARY_PATH.  Upload a file to a
> harmless path on webserver and use the library path to link it into an
> executable running in a CGI env.  Instant remote code execution.


I am not saying the reported exploit is not real or valid... but there
is nothing NEW here.  Everyone has known about this forever.

I attended GRCC where I took a UNIX admin class.  It was a really lousy
simplistic course.  But they even mentioned
environment-variables-are-a-security-problem in that class; one of the
about three security issues they bothered to mention.

This exploit seems to be about bash specifically, and specifically about
ways to set environment variables.  But really, I just don't want
set-an-environment-variable to ever happen.

> Basically environment variables are not terribly secure and have not
> received a lot of security analysis.  If you let an attacker control
> them for a process running as another user there are probably vectors
> there.  

Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA

More information about the grlug mailing list