[lug] Bash env security bug

Bear Giles bgiles at coyotesong.com
Thu Sep 25 10:46:58 MDT 2014

I came across this on the NSLU2 blog. I've verified it on my recent Ubuntu
system. I'm currently updating and will follow up if the update fixes this.

It's worth noting that careful developers will set up the environment
variables as part of the exec() call. They should be safe as long as they
don't blindly copy values from the program's environment. But a lot of
developers aren't careful, or have to pass the environment to the subshell
for various reasons.


> If you are using bash in any way on your NSLU2 or really any device
running linux, you are           > vulnerable to attacks using a recently
discovered security bug.
> $ export x='() { :;}; echo vulnerable'

> $ bash -c "echo this is a test"
> vulnerable
> this is a test
> $


> In a nutshell is if the user can set ANY string that it is assigned to an
environmental variable the system is vulnerable. It is not uncommon for
processes to set values passed in by the user as environmental variables
before spawning an shell instance such as a shell script using bash.  On my
own router I found I was vulnerable by several cron scripts I had written
that pass values from DNS lookups that could be potentially hacked to add
such a magic string by anyone with access to the DNS server. Here are some
articles that describe the issue further:


> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
> https://access.redhat.com/articles/1200223
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lug.boulder.co.us/pipermail/lug/attachments/20140925/3fa2c6dd/attachment.html>

More information about the LUG mailing list