On Fri, 26 Sep 2014, Jacob Torrey wrote:
Comes down to the basics, not treating data as formally as we do code, and allowing the data to drive "weird machine" behavior. If Bash had a stricter parser for it's input, it wouldn't be an issue.
Very true. The LangSec implication of "any input is a program" is almost trivial here: input placed in environment variables was not just driving some state changes in the consuming software logic, but evaluated as shell commands, straight up!
As we are working on LangSec guidelines for code review, one item is very clear: identifying the parts of the target that directly receive inputs and interpret them. In the LangSec threat/attack model, input is the program and the input-handling code is the interpreter for that program; thus a general description of how the interpreter works is a good starting point. In many cases, the workings of the input-driven computation are relatively obscure and include memory corruption and other hallmarks of "weird machines", etc. In Shellshock case, that interpreter works exactly as it does in the intended computation case :)
Thank you, --Sergey Applying this
On Fri, Sep 26, 2014 at 11:18 AM, Sashank Dara <krishna.sash...@gmail.com> wrote:hi, By now , some of you would have heard about the shellshock bug identified and making circles. below is the environment setting command that has a bug. *" env x='() { :;}; echo vulnerable' bash -c "echo this is a test"Source : https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ <https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/>* Now from langsec perspective , how do we explain this , anybody ? Regards, Sashank http://lnkd.in/88sgfr _______________________________________________ langsec-discuss mailing list langsec-discuss@mail.langsec.org https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
_______________________________________________ langsec-discuss mailing list langsec-discuss@mail.langsec.org https://mail.langsec.org/cgi-bin/mailman/listinfo/langsec-discuss
