bash is still vulnerable? CVE-2014-7186
slackware64-current
bash-4.3.027-x86_64-1 from https://shellshocker.net/ Code:
$ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack" |
I believe Pat's stance on this is that the patch that added the BASH_FUNC_ prefix is sufficient mitigation, so no further action is necessary. It doesn't matter how bad the parser is if it's not exposed to untrusted input.
I took it a step further and patched-out function importing completely, but that's a personal choice: belt-and-bracers. :) |
Yes, both the -current and 14.1 bash versions are vulnerable to this and maybe others. That's why I built my own with exported functions completely disabled ... and it is not vulnerable.
Code:
bash-4.2$ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"bash: warning: here-document at line 0 delimited by end-of-file (wanted `EOF') |
On Slackware64 14.1 I am running:
Code:
pedro@slack [~] $ ls /var/log/packages/ | grep bash Code:
$ bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack" |
it seems this was fixed in 4.3 patchlevel 28
|
Quote:
So bash is exposed to the DHCP handshake and was vulnerable to a PoC that granted an attacker to run arbitrary code from a malicious DHCP server. Basically, you could add any bash command to the Option flag of the DHCP handshake procedure and the remote DHCP client would execute it as root. |
Just a note: bash-4.2 is up to patch level 53 and bash-4.3 is up to patch level 30.
|
All times are GMT -5. The time now is 05:13 AM. |