Fix test for CVE-2014-6277 to be a function import test from environment... #23
Conversation
…ent. Bash 4.3.28 currently does crash with the example scripts for both CVE-2014-6277 and CVE-2014-6278 with no patch[1], but it will not run any code from them without specially setting up the environment to use the prefixing. Both CVE are documented as specifically environment issues; if you can pass bad code directly to bash -c then the attacker has already won. The check must involve the environment or it will needlessly scare users who have deployed appropriate mitigations. For example, on FreeBSD (and NetBSD) we have disabled all function importing from the environment. So this test passes fine on our bash versions. The syntax used here is to check the return value to see if it crashed, while hiding the core dump messages. There's no code execution proven for CVE-2014-6277 yet so there is no output that can be checked against. Switch the test to more closely match the examples from the disclosure [2]. [1] http://www.openwall.com/lists/oss-security/2014/10/01/25 [2] http://lcamtuf.blogspot.de/2014/10/bash-bug-how-we-finally-cracked.html
|
You might want to consider making the BASH_FUNC/prefix tests pink and not red as they are not as critical as the initial shellshock ones. Here's another opinion on it: http://www.openwall.com/lists/oss-security/2014/10/02/4 |
These are seen to not be worth testing and scaring people over[1][2]. Plus there is currently no patch to fix them. [1] http://www.openwall.com/lists/oss-security/2014/10/02/4 [2] http://www.openwall.com/lists/oss-security/2014/10/02/5
|
I see that this is an issue, however I'll try a different approach. I still want it to be able to check for all bugs separately. |
|
I now have re-designed the whole script in a way to make things more clear. |
|
Yes this approach works for me. Thanks. |
....
Bash 4.3.28 currently does crash with the example scripts for
both CVE-2014-6277 and CVE-2014-6278 with no patch[1], but it
will not run any code from them without specially setting up
the environment to use the prefixing. Both CVE are documented
as specifically environment issues; if you can pass bad code
directly to bash -c then the attacker has already won.
The check must involve the environment or it will needlessly scare
users who have deployed appropriate mitigations. For example,
on FreeBSD (and NetBSD) we have disabled all function importing from
the environment. So this test passes fine on our bash versions.
The syntax used here is to check the return value to see if it
crashed, while hiding the core dump messages. There's no
code execution proven for CVE-2014-6277 yet so there is no
output that can be checked against.
Switch the test to more closely match the examples from the
disclosure [2].
[1] http://www.openwall.com/lists/oss-security/2014/10/01/25
[2] http://lcamtuf.blogspot.de/2014/10/bash-bug-how-we-finally-cracked.html