[dns-operations] ShellShock exploit through the DNS

P Vixie paul at redbarn.org
Tue Oct 14 11:46:31 UTC 2014

On October 14, 2014 1:01:02 AM PDT, Simon Munton <Simon.Munton at cdns.net> wrote:
>(Sorry, this is not strictly DNS, but I would guess that this is the 
>cause of this shell-shock vector).
>When looking at the code for libc I was most disappointed to see that 
>"/bin/sh" is hard coded for both "popen()" and "system()"

That is what POSIX requires.

>Where as I had previously assumed that the environment variable SHELL 
>could override this.

That would make most programs using system() or popen() fail for those of us using tcsh.

>As "/bin/sh" is almost always a symlink to "/bin/bash", and many O/S 
>scripts assume this to be the case (i.e. use bash specific features, 
>without declaring "#!/bin/bash"), so simply making "/bin/sh" a link to 
>(say) "/bin/ash" is probably not an option.

Apple and redhat err'd in using bash to implement the /bin/sh interface. They should switch to ash like BSD or to the dash derivative of ash like Debian.

>So heads-up to any systems that use "popen()" or "system()" 

That's all systems. Though only apple and redhat strictly needed patching.

>IMHO, these two vectors mean shellshock will provide all sorts of 
>unexpected opportunities, 

I'm waiting to hear a live system that's vulnerable to the DNS method before I'll agree to call it a "vector". Right now it's a rigged demo.

> until everybody is upgraded.

That's never.

Sent from my Android phone with K-9 Mail. Please excuse my brevity.

More information about the dns-operations mailing list