Shellshock Summary
DESCRIPTION
Twenty-five year old security flaw CVE-2014-6271 found in all versions of bash.
Per http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
"The behavior is implemented as a hack involving specially-formatted environmental variables: in essence, any variable starting with a literal "() {" will be dispatched to the parser just before executing the main program. You can see this in action here:
$ foo='() { echo "hi mom"; }' bash -c 'foo'hi mom
NOTES
- 2014-09-25 14:55:22 Experiments indicate that putting anything in front of the
()
, like a name for the function or the keyword function
, disable the flawed behavior
- 2014-10-04 05:02:11 Calling bash from ash still passes all the commands in the variable(s)
RESOURCES
No comments :
Post a Comment