Re: Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271)
On 24/09/14 21:52, Steve Litt wrote:
Hi everyone,
Bash Code Injection Vulnerability via Specially Crafted Environment
Variables (CVE-2014-6271)
https://access.redhat.com/articles/1200223
My current Debian setup is vulnerable, as shown below:
==============================================
slitt@mydesq2:~$ env x='() { :;}; \
echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
slitt@mydesq2:~$ uname -a
Linux mydesq2 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64
GNU/Linux slitt@mydesq2:~$ cat /etc/issue
Debian GNU/Linux 7 \n \l
env x='() { :;}; \
> echo vulnerable' bash -c "echo this is a test"
bash: line 1: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
21:58:57 shihad:$ uname -a
Linux shihad 3.2.0-4-amd64 #1 SMP Debian 3.2.60-1+deb7u3 x86_64 GNU/Linux
21:59:09 shihad:$ cat /etc/issue
Debian GNU/Linux 7 \n \l
bash --version
GNU bash, version 4.3.24(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>
This is free software; you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Did you try apt-get update && apt-get upgrade yet? That should fix you
right up
as long as your mirror is up to date
Cheers
Iain
Reply to: