|
Message-ID: <5422EAEE.9010009@gmail.com> Date: Wed, 24 Sep 2014 22:01:50 +0600 From: "Alexander E. Patrakov" <patrakov@...il.com> To: oss-security@...ts.openwall.com CC: chet.ramey@...e.edu Subject: Re: CVE-2014-6271: remote code execution through bash 24.09.2014 21:16, Solar Designer wrote: > $ ssh -o 'rsaauthentication yes' 0 '() { ignored; }; /usr/bin/id' > uid=500(sandbox) gid=500(sandbox) groups=500(sandbox) > Received disconnect from 127.0.0.1: Command terminated on signal 11. > > This is with command="set" in .ssh/authorized_keys for the key being > used. (Without the "; /usr/bin/id" portion, the command prints the > environment variables, including SSH_ORIGINAL_COMMAND being the function > with just "ignored" in its body.) As we can see, the command runs, and > moreover in this case bash happened to segfault after having run "id". > > I see no good workaround. Starting the forced command with "unset > SSH_ORIGINAL_COMMAND &&" does not help - we'd need to unset the variable > before starting bash, not from bash. Won't installing dash and setting the shell of users who have forced commands to dash mitigate this somehow? -- Alexander E. Patrakov
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.