2014年09月26日 CVE-2014-6271: remote code execution through bash [長年日記]
_ CVE-2014-6271: remote code execution through bash
Before version up
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
OMG!
Let's do version up to bash-4.3.25 on Slackware.
$ tar xvvf bash-4.3.tar.gz $ tar xvvf bash-4.3-patches.tar.gz $ cd bash-4.3 $ cat ../bash-4.3-patches/bash43* | patch -p0 $ ./configure --prefix=/usr --mandir=/usr/man --infodir=/usr/info $ make
# make install-strip # cd /usr/bin # mv bashbug bashbug.REMOVED && chmod -x bashbug.REMOVED # mv bash /bin/bash.new # ln -sf /bin/bash . # cd /bin # mv bash bash.old # mv bash.new bash # mv bash.old bash.old.REMOVED && chmod -x bash.old.REMOVED
After version up
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
But CVE-2014-7169 is not fixed yet :(
[ツッコミを入れる]