Re: The importance of avoiding the shell

in reply to The importance of avoiding the shell

csh had a similar bug in the 80's when:

env TERM='`rm -rf *`' csh

did what you think it does.

Enjoy, Have FUN! H.Merijn

Comment on Re: The importance of avoiding the shell Select or Download Code

Replies are listed 'Best First'.
Re^2: The importance of avoiding the shell by ikegami (Patriarch) on Sep 29, 2014 at 06:44 UTC
I think `ssh` can specify the value for `TERM`, making `ssh` an attack vector if you can get it to execute `sh`/`bash` (directly or indirectly). But the new vulnerability is worse because it can be any env var, and CGI will gladly populate env vars with values of the attacker's choice for him. Any CGI script that executes `bash` is a dead easy attack vector. Attackers have been scanning for a CPanel script that shells out.	[reply] [d/l] [select]
Re^3: The importance of avoiding the shell by shmem (Chancellor) on Sep 30, 2014 at 08:18 UTC
I think ssh can specify the value for TERM, making ssh an attack vector if you can get it to execute sh/bash. Right; simple test: `qwurx [shmem] ~ > env TERM='() { :;}; echo vulnerable' ssh localhost ... Last login: Tue Sep 30 10:14:54 2014 from localhost vulnerable qwurx [shmem] ~ >` [download] perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'	[reply] [d/l]

In Section Meditations