This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: How vulnerable are bash users to shellshock bug?


Andy <AndyMHancock <at> gmail.com> writes:
> According to http://www.vox.com/2014/9/25/6843949/the-bash-bug-explained,
> shellshock is exploited when someone submits commands in place of parameter
> data to a server, which then tries to shove the info into an environment
> variable by a bash invocation.  

No, the attack vector is to have a targeted user run bash in an environment
with at least one environment variable having crafted content as to exploit
the bug.  That's quite general and can be used for all sorts of privilege
escalation locally, using it remotely via a service is just the icing on the
cake.


Regards,
Achim.


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]