[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash
|
From: |
Chet Ramey |
|
Subject: |
Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey) |
|
Date: |
Fri, 10 Oct 2014 10:17:40 -0400 |
|
User-agent: |
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.6.0 |
On 10/10/14, 5:40 AM, Stephane Chazelas wrote:
> 2014-10-09 21:35:09 -0400, Chet Ramey:
>> On 10/9/14, 6:06 PM, Pádraig Brady wrote:
>>> On 10/09/2014 08:46 PM, Rick Karcich (rkarcich) wrote:
>>>> Hello Chet,
>>>>
>>>> Re: testing for Shellshock... would like your feedback... specifically,
>>>> regarding the possibility of human-directed combinatorial testing to find
>>>> this Bash vulnerability...
>>>
>>> Sounds like how Michal Zalewski found the related CVE-2014-6278
>>> http://lcamtuf.blogspot.ie/2014/10/bash-bug-how-we-finally-cracked.html
>>
>> That's a promising approach. I asked Michal to continue running the fuzzer
>> against the patched, but he did not respond to that yet.
> [...]
>
> What's the point? That would be wasted effort IMO.
It depends on your goals.
> Who cares if bash does something unexpected on incorrect input as
> long as it's not exploitable?
I do, if it can cause a crash.
> The problem here was bash interpreting untrusted input. That has
> been fixed by stopping the parser from being exposed to
> untrusted input. Now bugs in the parser are only relevant if
> they affect functionality, that is, bash behaving the wrong way
> on valid input (code) and fuzzers are not likely to help much
> there. From that point of view, all the CVEs related to
> shellshock are non-bugs or very insignificant ones once the
> parser is no longer exposed.
I agree that the important thing is that the parser isn't exposed in
the way it was, and that the reports post-patch 27 are simple shell
bugs. However, I'm interested in shell bugs.
>
> From a security point of view, there are things in bash and
> other shells that are far more inportant to look at than what it
> does on incorrect code: when it deals with other forms of
> untrusted input.
>
> One thing for instance and that also affects some other shells
> are like:
>
> bash -c '(( XDG_VTNR < 7 ))
>
> That allows arbitrary code execution (and can't easily be
> fixed without breaking backward compatibility).
>
> Try with "export XDG_VTNR='a[$(echo>&2 vulnerable)]'".
Sure, and that's documented, intended, and not unique.
Chet
--
``The lyf so short, the craft so long to lerne.'' - Chaucer
``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU chet@case.edu http://cnswww.cns.cwru.edu/~chet/
- re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Rick Karcich (rkarcich), 2014/10/09
- Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Eduardo A . Bustamante López, 2014/10/09
- Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Pádraig Brady, 2014/10/09
- Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Chet Ramey, 2014/10/09
- Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Chet Ramey, 2014/10/13
- expansions upon arithmetic evaluation in array subscripts, Stephane Chazelas, 2014/10/13
- Re: expansions upon arithmetic evaluation in array subscripts, Chet Ramey, 2014/10/14
- Re: expansions upon arithmetic evaluation in array subscripts, Linda Walsh, 2014/10/14
- Re: expansions upon arithmetic evaluation in array subscripts, Chet Ramey, 2014/10/14
Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey), Chet Ramey, 2014/10/09