in reply to Re: The importance of avoiding the shell
in thread The importance of avoiding the shell

I think ssh can specify the value for TERM, making ssh an attack vector if you can get it to execute sh/bash (directly or indirectly).

But the new vulnerability is worse because it can be *any* env var, and CGI will gladly populate env vars with values of the attacker's choice for him. Any CGI script that executes bash is a dead easy attack vector. Attackers have been scanning for a CPanel script that shells out.

Replies are listed 'Best First'.
Re^3: The importance of avoiding the shell
by shmem (Chancellor) on Sep 30, 2014 at 08:18 UTC
    I think ssh can specify the value for TERM, making ssh an attack vector if you can get it to execute sh/bash.

    Right; simple test: 

    qwurx [shmem] ~ > env TERM='() { :;}; echo vulnerable' ssh localhost
...
Last login: Tue Sep 30 10:14:54 2014 from localhost
vulnerable
qwurx [shmem] ~ >

    [download]
    perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'
[reply]
[d/l]

In Section Meditations