[GRLUG] CVE-2014-6271
Adam Tauno Williams
awilliam at whitemice.org
Thu Sep 25 10:44:35 EDT 2014
On Thu, 2014-09-25 at 10:37 -0400, Mark Farver wrote:
> If an attacker has remote control of environment variables think of
> the damage that can be done with LD_LIBRARY_PATH. Upload a file to a
> harmless path on webserver and use the library path to link it into an
> executable running in a CGI env. Instant remote code execution.
This.
I am not saying the reported exploit is not real or valid... but there
is nothing NEW here. Everyone has known about this forever.
I attended GRCC where I took a UNIX admin class. It was a really lousy
simplistic course. But they even mentioned
environment-variables-are-a-security-problem in that class; one of the
about three security issues they bothered to mention.
This exploit seems to be about bash specifically, and specifically about
ways to set environment variables. But really, I just don't want
set-an-environment-variable to ever happen.
> Basically environment variables are not terribly secure and have not
> received a lot of security analysis. If you let an attacker control
> them for a process running as another user there are probably vectors
> there.
--
Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
Systems Administrator, Python Developer, LPI / NCLA
More information about the grlug
mailing list