Warning: unless noted otherwise, code in my posts should be understood as "coding suggestions", and its use may require more neurones than the two necessary for Ctrl-C/Ctrl-V.
sudo apt-get update && sudo apt-get upgrade..... aaaaaaand t's gone
fix was available yesterday
if your question is answered, mark the thread as [SOLVED]. Thx.
To post code or command output, use [code] tags.
Check your bash script here // BashFAQ // BashPitfalls
Of course... mostly pointed out here for the insight on some Bash tricks.
Warning: unless noted otherwise, code in my posts should be understood as "coding suggestions", and its use may require more neurones than the two necessary for Ctrl-C/Ctrl-V.
... or maybe not ... o.Osudo apt-get update && sudo apt-get upgrade..... aaaaaaand t's gone
who on earth thought it's a good idea to allow passing executable code around via env vars in the first place? Not only parser can be tricked by a malformed code but it's possible to mask legitimate commands with arbitrary function.
if your question is answered, mark the thread as [SOLVED]. Thx.
To post code or command output, use [code] tags.
Check your bash script here // BashFAQ // BashPitfalls
Not really... Initially the code is meant to pass function definitions. To run the code the called shell still has to explicitly call these functions (see it as a low grade "functor" technique). The vulnerability is that to define these functions, the called shell executes the code in the environment variable blindly, mistakenly assuming it only contains function definitions (and so that it won't execute actual code), while the vulnerability is that any code after the end of the function definition is going to be run as well (and this can be actual code). The fix is to drop any code after the end of the function definition.
As to making a command execute arbitrary code, it's only a matter of setting the path to point to other versions of common utilities...
Warning: unless noted otherwise, code in my posts should be understood as "coding suggestions", and its use may require more neurones than the two necessary for Ctrl-C/Ctrl-V.
i know it's about function definitions but my beef is with the idea that sometimes you send just a bunch of text and sometimes, because there is that (), it's not just a bunch of text and the code is essentially run because that's what bash does to load the function def. How is that that much different from evaling an unsanitized input which everybody knows is dumb?
Conjuring functions this way sounds to me like a bad idea from the start, even if the vulnerability itself is no more. It's an old, dumb shell, no separation of anything, a single namespace and i don't think security was a priority when the dark corners of its internals were laid down 20-something years ago. I don't want it to create executable code automagically. If i want functions i write them/source them. If can't figure out how to create a tidy solution around the passive data that would suit my needs, i know bash is just not the right tool for that job. Hell, no other shell has this feature as automagic.
Last edited by Vaphell; September 26th, 2014 at 12:50 PM.
if your question is answered, mark the thread as [SOLVED]. Thx.
To post code or command output, use [code] tags.
Check your bash script here // BashFAQ // BashPitfalls
Bookmarks