How vulnerable are bash users to shellshock bug?
Achim Gratz
Stromeko@NexGo.DE
Mon Sep 29 09:02:00 GMT 2014
Andy <AndyMHancock <at> gmail.com> writes:
> According to http://www.vox.com/2014/9/25/6843949/the-bash-bug-explained,
> shellshock is exploited when someone submits commands in place of parameter
> data to a server, which then tries to shove the info into an environment
> variable by a bash invocation.
No, the attack vector is to have a targeted user run bash in an environment
with at least one environment variable having crafted content as to exploit
the bug. That's quite general and can be used for all sorts of privilege
escalation locally, using it remotely via a service is just the icing on the
cake.
Regards,
Achim.
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
More information about the Cygwin
mailing list