[GRLUG] CVE-2014-6271

Michael Mol mikemol at gmail.com
Thu Sep 25 13:02:57 EDT 2014


It's not about control over environment variable names. It's about
*invalid parsing* of environment variable contents as they're being
passed.

>From here: https://access.redhat.com/node/1200223

env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"

The problem is how the environment variable is parsed. The *name*
could be anything. It obviously doesn't have to be "x". It could be
"CLIENT_SELF_REPORTED_NAME" or "X_USER_AGENT" or whatever.

At least, that's how I understand it.


On Thu, Sep 25, 2014 at 10:44 AM, Adam Tauno Williams
<awilliam at whitemice.org> wrote:
> On Thu, 2014-09-25 at 10:37 -0400, Mark Farver wrote:
>> If an attacker has remote control of environment variables think of
>> the damage that can be done with LD_LIBRARY_PATH.  Upload a file to a
>> harmless path on webserver and use the library path to link it into an
>> executable running in a CGI env.  Instant remote code execution.
>
> This.
>
> I am not saying the reported exploit is not real or valid... but there
> is nothing NEW here.  Everyone has known about this forever.
>
> I attended GRCC where I took a UNIX admin class.  It was a really lousy
> simplistic course.  But they even mentioned
> environment-variables-are-a-security-problem in that class; one of the
> about three security issues they bothered to mention.
>
> This exploit seems to be about bash specifically, and specifically about
> ways to set environment variables.  But really, I just don't want
> set-an-environment-variable to ever happen.
>
>> Basically environment variables are not terribly secure and have not
>> received a lot of security analysis.  If you let an attacker control
>> them for a process running as another user there are probably vectors
>> there.
>
> --
> Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
> Systems Administrator, Python Developer, LPI / NCLA
>
> _______________________________________________
> grlug mailing list
> grlug at grlug.org
> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug



-- 
:wq


More information about the grlug mailing list