[GRLUG] CVE-2014-6271

Michael Mol mikemol at gmail.com
Thu Sep 25 13:05:02 EDT 2014


Oh, and from the same link:

CUPS - It is believed that CUPS is affected by this issue. Various
user supplied values are stored in environment variables when cups
filters are executed.

On Thu, Sep 25, 2014 at 1:02 PM, Michael Mol <mikemol at gmail.com> wrote:
> It's not about control over environment variable names. It's about
> *invalid parsing* of environment variable contents as they're being
> passed.
>
> From here: https://access.redhat.com/node/1200223
>
> env x='() { :;}; echo vulnerable'  bash -c "echo this is a test"
>
> The problem is how the environment variable is parsed. The *name*
> could be anything. It obviously doesn't have to be "x". It could be
> "CLIENT_SELF_REPORTED_NAME" or "X_USER_AGENT" or whatever.
>
> At least, that's how I understand it.
>
>
> On Thu, Sep 25, 2014 at 10:44 AM, Adam Tauno Williams
> <awilliam at whitemice.org> wrote:
>> On Thu, 2014-09-25 at 10:37 -0400, Mark Farver wrote:
>>> If an attacker has remote control of environment variables think of
>>> the damage that can be done with LD_LIBRARY_PATH.  Upload a file to a
>>> harmless path on webserver and use the library path to link it into an
>>> executable running in a CGI env.  Instant remote code execution.
>>
>> This.
>>
>> I am not saying the reported exploit is not real or valid... but there
>> is nothing NEW here.  Everyone has known about this forever.
>>
>> I attended GRCC where I took a UNIX admin class.  It was a really lousy
>> simplistic course.  But they even mentioned
>> environment-variables-are-a-security-problem in that class; one of the
>> about three security issues they bothered to mention.
>>
>> This exploit seems to be about bash specifically, and specifically about
>> ways to set environment variables.  But really, I just don't want
>> set-an-environment-variable to ever happen.
>>
>>> Basically environment variables are not terribly secure and have not
>>> received a lot of security analysis.  If you let an attacker control
>>> them for a process running as another user there are probably vectors
>>> there.
>>
>> --
>> Adam Tauno Williams <mailto:awilliam at whitemice.org> GPG D95ED383
>> Systems Administrator, Python Developer, LPI / NCLA
>>
>> _______________________________________________
>> grlug mailing list
>> grlug at grlug.org
>> http://shinobu.grlug.org/cgi-bin/mailman/listinfo/grlug
>
>
>
> --
> :wq



-- 
:wq


More information about the grlug mailing list