bash velnerability
Charles Swiger
cswiger at mac.com
Tue Sep 30 22:29:31 UTC 2014
On Sep 30, 2014, at 3:08 PM, Jung-uk Kim <jkim at FreeBSD.org> wrote:
> On 2014-09-30 18:00:31 -0400, Mike Tancsa wrote:
>> On 9/30/2014 5:25 PM, Charles Swiger wrote:
>>> bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)"
>>> Testing Exploit 4 (CVE-2014-7186)
>>> bash-3.2$ CVE7186="$(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF
>>> <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null ||echo -n
>>> V)"
>>> bash-3.2$ [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT
>>> VULNERABLE"
>>> NOT VULNERABLE
>>>
>>> This being said, I'm not confident that there won't be further issues
>>> found with bash....
>>>
>>
>> What are people using to check these issues ? I was using
>>
>> https://github.com/hannob/bashcheck
>>
>> Not sure if that gives false positives ?
> ...
>
> Yes, it seems it does.
>
> https://github.com/hannob/bashcheck/commit/5b611b36
>
> Jung-uk Kim
Checking, and agreed.
bash -c "true $(printf '<<EOF %.0s' {1..70})" 2>/dev/null
...works OK, but this crashes with a SIGSEGV:
bash -c "true $(printf '<<EOF %.0s' {1..80})" 2>/dev/null
Seems to be blowing out a ~84K malloc buffer located just above the __TEXT page for /bin/bash; it's not blowing out the stack directly and isn't affected by changing ulimit -s.
Regards,
--
-Chuck
More information about the freebsd-security
mailing list