doc_strange (![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png)
doc_strange) wrote2014-09-25 05:39 pm
doc_strange) wrote2014-09-25 05:39 pm
shellshock
Perhaps you've not heard? Bash, when handed some rotten ENV components, messes up badly and can allow someone able to set the ENV to execute arbitrary commands.
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://www.cnet.com/news/bigger-than-heartbleed-bash-bug-could-leave-it-systems-shellshocked/
Ok. Um, WHO CALLS A SHELL WITH RANDOM ENV CRAP FROM UNTRUSTED PARTIES!?!! This is like a 1997 bug!
Just checked. The recommended practice of blowing away the environment before calling a shell goes back to Garfinkel & Spafford's 1991 seminal Practical Unix Security (or at least the 1996 2nd ed., Practical Unix & Internet Security). It's in there TWICE it is so basic.
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://www.cnet.com/news/bigger-than-heartbleed-bash-bug-could-leave-it-systems-shellshocked/
Ok. Um, WHO CALLS A SHELL WITH RANDOM ENV CRAP FROM UNTRUSTED PARTIES!?!! This is like a 1997 bug!
Just checked. The recommended practice of blowing away the environment before calling a shell goes back to Garfinkel & Spafford's 1991 seminal Practical Unix Security (or at least the 1996 2nd ed., Practical Unix & Internet Security). It's in there TWICE it is so basic.