Your skill will accomplish what the force of many cannot |
|
PerlMonks |
Re^6: Taint and Shellshockby tobyink (Canon) |
on Sep 28, 2014 at 20:40 UTC ( [id://1102289]=note: print w/replies, xml ) | Need Help?? |
kennethk's analysis is entirely correct.
Firstly, one of the key factors in exploiting shellshock is that it's not just a single environment variable that is vulnerable. Any environment variable will do. So it doesn't need to be called "BAD_VAR". It could be called, say, HTTP_BAD_BAR. Make a request to a CGI script like this:
You'll see that the environment contains a variable called HTTP_BAD_VAR.
No. Forget the script. The script doesn't do anything insecure. Let's imagine a simple script that doesn't even look at environment variables:
Yes $ENV{HTTP_BAD_VAR} is tainted, but the script doesn't actually touch that hash value, so no error is raised about it. The one-argument form of system(), if it contains shell characters (in this case, the asterisk) doesn't spawn the given command directly, but runs it via the system shell (which will usually be bash). So bash gets spawned. Bash inherits all of %ENV because child processes inherit their parent's environment. Thus bash gets the HTTP_BAD_VAR verbatim from the HTTP request header. And bash will eval any environment variable that starts with () {.
In Section
Seekers of Perl Wisdom
|
|