[RndTbl] bash + procmail vulnerabilities
Sean Walberg
sean at ertw.com
Thu Sep 25 07:23:39 CDT 2014
>
> I'm trying to guess how? In what instance is some program allowing
> network vectors to set env vars, especially without sterilization? Or
> do I not want to know...
My guess would be anything attached to a web server -- CGI, dynamic apps
that shell out to stuff like imagemagick, etc. Headers are passed through
to the script: HTTP_REFERER, USER_AGENT, and so forth.
Sean
On Thu, Sep 25, 2014 at 6:02 AM, Trevor Cordes <trevor at tecnopolis.ca> wrote:
> Wonderful, another day, another big bad security hole... or two.
>
> Run your patches!
>
> First up: bash:
> $ env x='() { :;}; echo OOPS' bash -c /usr/sbin/nologin
> OOPS
> This account is currently not available.
>
> http://www.openwall.com/lists/oss-security/2014/09/24/10
>
> claims:
>
> > In many common configurations, this vulnerability is exploitable over
> > the network.
>
> I'm trying to guess how? In what instance is some program allowing
> network vectors to set env vars, especially without sterilization? Or
> do I not want to know...
>
> Next up, procmail has a formail buffer overflow that may or may not
> allow arb code exec CVE-2014-3618. Many stock procmail recipes use
> formail. It's easy to see how this one is remotely exploitable.
> _______________________________________________
> Roundtable mailing list
> Roundtable at muug.mb.ca
> http://www.muug.mb.ca/mailman/listinfo/roundtable
>
--
Sean Walberg <sean at ertw.com> http://ertw.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.muug.mb.ca/pipermail/roundtable/attachments/20140925/22d01352/attachment.html>
More information about the Roundtable
mailing list