[GLLUG] Bash Bug
Tim Woodall
t at woodall.me.uk
Thu Sep 25 17:27:20 UTC 2014
It's critical that there's a space between () and {
I thought I wasn't vulnerable... :-(
Tim.
On 25/09/2014, Iain M Conochie <iain at shihad.org> wrote:
> <snip>
>> I don't get that result on our Debian 7 instances pre-patch (perhaps
>> due to our config?)
>>
>> # env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
>> completed
>>
>> It's better after the patch though.
>>
>> All the CentOS failed.
>
> >:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> vulnerable
> this is a test
> >:~$ env X='() { :;} ; echo busted' /bin/sh -c "echo completed"
> completed
> >:~$ env x='() { :;}; echo busted' bash -c "echo completed"
> busted
> completed
> >:~$ ls -l /bin/sh
> lrwxrwxrwx 1 root root 4 Jan 10 2014 /bin/sh -> dash
>
>
> You have /bin/sh linked to something other than bash perhaps? That I
> think is the default for wheezy.
>
> Cheers
>
> Iain
>
>
> _______________________________________________
> GLLUG mailing list
> GLLUG at mailman.lug.org.uk
> https://mailman.lug.org.uk/mailman/listinfo/gllug
>
More information about the GLLUG
mailing list