[dns-operations] ShellShock exploit through the DNS
paul at redbarn.org
Tue Oct 14 11:46:31 UTC 2014
On October 14, 2014 1:01:02 AM PDT, Simon Munton <Simon.Munton at cdns.net> wrote:
>(Sorry, this is not strictly DNS, but I would guess that this is the
>cause of this shell-shock vector).
>When looking at the code for libc I was most disappointed to see that
>"/bin/sh" is hard coded for both "popen()" and "system()"
That is what POSIX requires.
>Where as I had previously assumed that the environment variable SHELL
>could override this.
That would make most programs using system() or popen() fail for those of us using tcsh.
>As "/bin/sh" is almost always a symlink to "/bin/bash", and many O/S
>scripts assume this to be the case (i.e. use bash specific features,
>without declaring "#!/bin/bash"), so simply making "/bin/sh" a link to
>(say) "/bin/ash" is probably not an option.
Apple and redhat err'd in using bash to implement the /bin/sh interface. They should switch to ash like BSD or to the dash derivative of ash like Debian.
>So heads-up to any systems that use "popen()" or "system()"
That's all systems. Though only apple and redhat strictly needed patching.
>IMHO, these two vectors mean shellshock will provide all sorts of
I'm waiting to hear a live system that's vulnerable to the DNS method before I'll agree to call it a "vector". Right now it's a rigged demo.
> until everybody is upgraded.
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
More information about the dns-operations