Am 27.10.2014 um 21:04 schrieb Daniel Staal: > --As of October 27, 2014 8:29:52 PM +0100, Robert Schetterer is alleged > to have said: > >> by the way >> >> http://www.exploit-db.com/exploits/34896/ >> >> always have a shellshock patched system these days with postfix/procmail > > --As for the rest, it is mine. > > Interesting. I dug a bit further out of curiosity. > > Postfix is irrelevant in this
jep - Procmail is what needs to be looked at. > More specifically, the rules that are being used; running procmail in > and of itself doesn't allow this to be exploited, it's only if you have > a procmail rule that sticks info into the environment (not uncommon) > that it happens. > > The default shell is the recipient's login shell - though that can be > overridden in procmailrc. > > I wouldn't rule out other LDA's from having similar problems without > proof - but it's something to be aware of. where ever bash scripting may involved i think, perhaps pre/post login/last scripts etc seen a lot of ideas.., i.e some bash command found in log interpreted by home grown log analyser and invoked at loogrotate time etc but thats total off topic , and deeply related to bash security > > Daniel T. Staal > > --------------------------------------------------------------- > This email copyright the author. Unless otherwise noted, you > are expressly allowed to retransmit, quote, or otherwise use > the contents for non-commercial purposes. This copyright will > expire 5 years after the author's death, or in 30 years, > whichever is longer, unless such a period is in excess of > local copyright law. > --------------------------------------------------------------- Best Regards MfG Robert Schetterer -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
