On Fri, 26 Sep 2014, Andrew McN <andrew@mcnaughty.com> wrote:
Secondly, don't assume that debian's default symlink fo /bin/sh to /bin/dash means you are not vulnerable to holes in bash. There's a lot of scripts and system calls around which explicitly invoke `bash` rather than `sh`. Also if a user uses /bin/bash as their shell, then this bug gives a way to circumvent command restrictions on a given ssh key, as configured in ~/.ssh/authorised_keys.
#!/bin/bash echo ok I created a script named zz with the above contents. I ran the following test using bash 4.2+dfsg-0.1 from Debian/Wheezy (the unfixed version) and got an unexpected SEGV. # ORIG="() { :;} ; touch /tmp/ohno" ./zz /bin/bash: touch: No such file or directory Segmentation fault I also got a SEGV from remote when the shell for root was /bin/sh (dash). I verified that either bash as the root shell or as the shell for a script was sufficient for an exploit. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/