[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Potential Denial of Service Vulnerability in embedded commands - Bas
|
From: |
Greg Wooledge |
|
Subject: |
Re: Potential Denial of Service Vulnerability in embedded commands - Bash version 4.4.12(1) - Release |
|
Date: |
Tue, 7 Nov 2017 09:10:01 -0500 |
|
User-agent: |
NeoMutt/20170113 (1.7.2) |
On Tue, Nov 07, 2017 at 11:58:40AM +0000, Alex Nichols wrote:
> In order to trigger the bug I executed the command *`*cat sploit.buf*`*
> This bug may present a potential security risk as a malicious user may be
> able to crash a users bash session by tricking them into executing a
> malicious bash script.
Then it's a social engineering attack, not a security vulnerability in
bash. There are plenty of commands that would be extremely damaging if
someone with malicious intent tricks you into running them. Not just the
classic fork bomb that looks like a totem pole, either. Even something
as basic as rm is potentially devastating, and can be obfuscated (for
instance, as $'\162\155').