[Dnsmasq-discuss] Shellshock.

Nicholas Weaver nweaver at gmail.com
Tue Sep 30 13:33:17 BST 2014


On Sep 30, 2014, at 1:05 AM, Roy Marples <roy at marples.name> wrote:
>> Of course, the shell isn't supposed to interpret metacharacters in the
>> value of shell variables unless explicitly told to: so sanitising
>> shouldn't be required (though I concede it would mitigate a lot of
>> common shell-script errors.)
> 
> Shells shouldn't allow function definitions in variables, but here we are :)

Fortunately the new patch just said "f-this, we can't secure this 'feature', so its removed...", because even if the parser works completely you could still redefine some functions in some contexts with bad results.  This is why the final command line test is now:

env foo='() { echo "not patched" ; }' /bin/bash -c foo


Although, to be honest, although the DHCP vector is trivial to exploit [1], if the attacker can give you a bogus DHCP reply you've lost already.

At this point, the attacker already has a full man-in-the-middle of all network traffic, and can easily launch invisible attacks on clients (e.g. cause a hidden iframe to appear to their metasploit server instance, insert cached scripts into the browser context, etc...).


[1] the DHCP server on my test network has: option domain-name "() { ignored;}; /bin/touch pwnage ; (/bin/sleep 10; /bin/ping -c 10 10.128.0.2) & "; in its config

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 842 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20140930/5918e7cd/attachment.sig>


More information about the Dnsmasq-discuss mailing list