Bash Vulnerability

Andy Bradford amb-plugg at bradfords.org
Wed Oct 1 10:18:46 MDT 2014


Thus said Dan Egli on Wed, 01 Oct 2014 02:28:45 -0700:

> Interesting that they're encoding the attack in the useragent string.

That's just one vector. Basically, any process that takes untrusted user
provided data  and stuffs it in  an environment variable that  then gets
exported/passed on to another process can be used as a vector to exploit
bash.

This could include, for example, tcpserver  -h which will lookup the PTR
for IP address of  the remote host connecting to it and  stuff it into a
variable called  TCPREMOTEHOST which  is then passed  on to  whatever it
executes next in the chain.

So, this could creep up in ways that you may not consider possible.

Andy
--
TAI64 timestamp: 40000000542c2988


More information about the PLUG mailing list