Thus said Dan Egli on Wed, 01 Oct 2014 02:28:45 -0700: > Interesting that they're encoding the attack in the useragent string.
That's just one vector. Basically, any process that takes untrusted user provided data and stuffs it in an environment variable that then gets exported/passed on to another process can be used as a vector to exploit bash. This could include, for example, tcpserver -h which will lookup the PTR for IP address of the remote host connecting to it and stuff it into a variable called TCPREMOTEHOST which is then passed on to whatever it executes next in the chain. So, this could creep up in ways that you may not consider possible. Andy -- TAI64 timestamp: 40000000542c2988 /* PLUG: http://plug.org, #utah on irc.freenode.net Unsubscribe: http://plug.org/mailman/options/plug Don't fear the penguin. */
