Skip to main content
looks like a typo but can't be :(
Source Link
Joshua
  • 2k
  • 13
  • 20

I'm assuming you're talking about something like another shellshock vulnerability.

Like this:

#!/my/env -S - /bin/bash

What what about LD_LIBRARY_PATH and LD_PRELOAD? I did say my env.

Can you port this elsewhere? Sure you can. BSD should be reasonably easy. Mac OSX will be a pain.

Or you just ship this beast instead.

int main(int argc, char **argv)
{
   if (argc < 2) { fprintf(stderr, "Usage: %s script ...\n", argv[1]argv[0]); };
   argv[0] = "/bin/bash";
   execve(argv[0], argv, NULL);
}

Or ask for ash for startup. That can be made sane.

#!/bin/ash
IFS=' 
'
# For some reason `IFS=` is immune to nonsense.
# Setting IFS to = doesn't result in an escape here. I tried it.

unset LD_PRELOAD
unset LD_LIBRARY_PATH

# Now we can sanitize PATH
PATH="$(/usr/bin/getconf PATH)"

# Actually fixing your environment from here is plenty possible.
# Normal enumerating goodness doesn't work because there could be nasty characters.
# So we're stuck with env anyway

env - /bin/bash stage2

If we're something like CGI that wants its environment, we're out of luck and have to write the whole thing in not bash. The language isn't powerful enough to deal with this nonsense. I used to do this back in the day when shellshock was not a thing and I didn't use bash for it anyway but rather ksh which didn't have such features. And yes, starting with IFS= and PATH= is a must. And I would have to reevaluate ksh now; it's changed since I last used it.

I'm assuming you're talking about something like another shellshock vulnerability.

Like this:

#!/my/env -S - /bin/bash

What what about LD_LIBRARY_PATH and LD_PRELOAD? I did say my env.

Can you port this elsewhere? Sure you can. BSD should be reasonably easy. Mac OSX will be a pain.

Or you just ship this beast instead.

int main(int argc, char **argv)
{
   if (argc < 2) { fprintf(stderr, "Usage: %s script ...\n", argv[1]); };
   argv[0] = "/bin/bash";
   execve(argv[0], argv, NULL);
}

Or ask for ash for startup. That can be made sane.

#!/bin/ash
IFS=' 
'
# For some reason `IFS=` is immune to nonsense.
# Setting IFS to = doesn't result in an escape here. I tried it.

unset LD_PRELOAD
unset LD_LIBRARY_PATH

# Now we can sanitize PATH
PATH="$(/usr/bin/getconf PATH)"

# Actually fixing your environment from here is plenty possible.
# Normal enumerating goodness doesn't work because there could be nasty characters.
# So we're stuck with env anyway

env - /bin/bash stage2

If we're something like CGI that wants its environment, we're out of luck and have to write the whole thing in not bash. The language isn't powerful enough to deal with this nonsense. I used to do this back in the day when shellshock was not a thing and I didn't use bash for it anyway but rather ksh which didn't have such features. And yes, starting with IFS= and PATH= is a must. And I would have to reevaluate ksh now; it's changed since I last used it.

I'm assuming you're talking about something like another shellshock vulnerability.

Like this:

#!/my/env -S - /bin/bash

What what about LD_LIBRARY_PATH and LD_PRELOAD? I did say my env.

Can you port this elsewhere? Sure you can. BSD should be reasonably easy. Mac OSX will be a pain.

Or you just ship this beast instead.

int main(int argc, char **argv)
{
   if (argc < 2) { fprintf(stderr, "Usage: %s script ...\n", argv[0]); };
   argv[0] = "/bin/bash";
   execve(argv[0], argv, NULL);
}

Or ask for ash for startup. That can be made sane.

#!/bin/ash
IFS=' 
'
# For some reason `IFS=` is immune to nonsense.
# Setting IFS to = doesn't result in an escape here. I tried it.

unset LD_PRELOAD
unset LD_LIBRARY_PATH

# Now we can sanitize PATH
PATH="$(/usr/bin/getconf PATH)"

# Actually fixing your environment from here is plenty possible.
# Normal enumerating goodness doesn't work because there could be nasty characters.
# So we're stuck with env anyway

env - /bin/bash stage2

If we're something like CGI that wants its environment, we're out of luck and have to write the whole thing in not bash. The language isn't powerful enough to deal with this nonsense. I used to do this back in the day when shellshock was not a thing and I didn't use bash for it anyway but rather ksh which didn't have such features. And yes, starting with IFS= and PATH= is a must. And I would have to reevaluate ksh now; it's changed since I last used it.

Source Link
Joshua
  • 2k
  • 13
  • 20

I'm assuming you're talking about something like another shellshock vulnerability.

Like this:

#!/my/env -S - /bin/bash

What what about LD_LIBRARY_PATH and LD_PRELOAD? I did say my env.

Can you port this elsewhere? Sure you can. BSD should be reasonably easy. Mac OSX will be a pain.

Or you just ship this beast instead.

int main(int argc, char **argv)
{
   if (argc < 2) { fprintf(stderr, "Usage: %s script ...\n", argv[1]); };
   argv[0] = "/bin/bash";
   execve(argv[0], argv, NULL);
}

Or ask for ash for startup. That can be made sane.

#!/bin/ash
IFS=' 
'
# For some reason `IFS=` is immune to nonsense.
# Setting IFS to = doesn't result in an escape here. I tried it.

unset LD_PRELOAD
unset LD_LIBRARY_PATH

# Now we can sanitize PATH
PATH="$(/usr/bin/getconf PATH)"

# Actually fixing your environment from here is plenty possible.
# Normal enumerating goodness doesn't work because there could be nasty characters.
# So we're stuck with env anyway

env - /bin/bash stage2

If we're something like CGI that wants its environment, we're out of luck and have to write the whole thing in not bash. The language isn't powerful enough to deal with this nonsense. I used to do this back in the day when shellshock was not a thing and I didn't use bash for it anyway but rather ksh which didn't have such features. And yes, starting with IFS= and PATH= is a must. And I would have to reevaluate ksh now; it's changed since I last used it.