[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FD] Critical bash vulnerability CVE-2014-6271

To: Tim <tim-security@xxxxxxxxxxxxxxxxxxx>
Subject: Re: [FD] Critical bash vulnerability CVE-2014-6271
From: Paul Vixie <paul@xxxxxxxxxxx>
Date: Thu, 25 Sep 2014 18:06:40 -0700


> Tim <mailto:tim-security@xxxxxxxxxxxxxxxxxxx>
> Thursday, September 25, 2014 5:55 PM
> ...
>
> So dhclient calls /bin/bash explicitly?  I didn't look that deeply
> into it, but my /bin/sh is dash and nothing breaks, so if it really
> does depend on bash, it would need to do that.

it's like this:

> vixie@linux1:~$ uname -srm
> Linux 3.2.0-4-amd64 x86_64
> vixie@linux1:~$ head -1 /sbin/dhclient-script
> #!/bin/bash 

i'm told that this is somewhat common, which probably means that not all
shells are good enough for this script. on debian, /bin/sh is "dash"
which may be an example of "not good enough to run this script".

on systems like red hat and mac osx where /bin/sh just is bash, it's the
same effect but dhclient-script begins #!/bin/sh instead.

here's a POC:

https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/

-- 
Paul Vixie

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

References:
- [FD] Critical bash vulnerability CVE-2014-6271
  - From: Philip Cheong
- Re: [FD] Critical bash vulnerability CVE-2014-6271
  - From: Evan Teitelman
- Re: [FD] Critical bash vulnerability CVE-2014-6271
  - From: Tim
- Re: [FD] Critical bash vulnerability CVE-2014-6271
  - From: Paul Vixie

Prev by Date: Re: [FD] Critical bash vulnerability CVE-2014-6271
Next by Date: [FD] GS Foto Uebertraeger v3.0 iOS - File Include Vulnerability
Previous by thread: Re: [FD] Critical bash vulnerability CVE-2014-6271
Next by thread: [FD] [TOOL] Hakabana release
Index(es):
- Date
- Thread