[dns-operations] ShellShock exploit through the DNS

Mark Andrews marka at isc.org
Tue Oct 14 20:17:11 UTC 2014 

In message <543D4162.8000009 at dougbarton.us>, Doug Barton writes:
> On 10/14/14 6:41 AM, Paul Vixie wrote:
> > apparently the apache team believed as i did that no shell would ever
> > eval() its environment variables no matter with or without input
> > checking. the bash team really violated the principle of least
> > astonishment with function inheritance.
> 
> Given the number of years that the feature was in place (aka, "forever") 
> I find it hard to argue that it was "astonishing."

Did /bin/sh in System 5 eval it's environment variables?  No.

Bash *added* the feature to the OS.  I've been using UNIX systems
since before bash even started development.  At that stage environment
variable were not all evaluted by the shell by default.

If you wanted to evaluate a environment variable you ran:

eval "$VARIABLE"

> Rather, I find it quite astonishing that so many Linux distros did 
> precisely what it has always been recommended NOT to do, 'ln -s 
> /bin/bash /bin/sh'. I do not find the fact that they are now being 
> bitten in the ascii by this mistake at all astonishing. In fact I'm 
> rather enjoying it. :)

It doesn't matter if they did that or not.  The problem is that
with bash "ALL YOUR VARIABLE BELONG TO US" not all the variable
starting with BASH_ or BASH belong to us.  We expect you to sanitize
the envionment before invoking us of anything which could remotely
cause a problem when executed.

It is a obsure feature of bash that no sane developer would think
a shell would be so stupid as to do.

Have you inspected every command on a OS to ensure that it does
something sane with all the enviroment variables?

configure scripts claim "with_*".  Different scripts use different
ones.  I actually have a couple of environment variable which make
use of these to same me typing in --with-atf=/usr/local and
--with-geoip=yes every time I run configure, which is usually a
dozen plus times a day.  I have to be careful when I rebuild ports
as I need to ensure these are stripped from the environment first.

with_atf=/opt/local
with_geoip=yes

> Doug
>
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list