Shellshock Summary

DESCRIPTION

Twenty-five year old security flaw CVE-2014-6271 found in all versions of bash.
Per http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
"The behavior is implemented as a hack involving specially-formatted environmental variables: in essence, any variable starting with a literal "() {" will be dispatched to the parser just before executing the main program. You can see this in action here:
$ foo='() { echo "hi mom"; }' bash -c 'foo'hi mom

NOTES

  • 2014-09-25 14:55:22 Experiments indicate that putting anything in front of the (), like a name for the function or the keyword function, disable the flawed behavior
  • 2014-10-04 05:02:11 Calling bash from ash still passes all the commands in the variable(s)

RESOURCES

No comments :