Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 30 Sep 2014 15:29:28 -0700
From:      Charles Swiger <cswiger@mac.com>
To:        Jung-uk Kim <jkim@FreeBSD.org>
Cc:        freebsd-security <freebsd-security@FreeBSD.org>, Bryan Drewery <bdrewery@FreeBSD.org>, freebsd-ports <freebsd-ports@FreeBSD.org>
Subject:   Re: bash velnerability
Message-ID:  <7943146A-CB56-4744-BFB5-268B306D3738@mac.com>
In-Reply-To: <542B29C1.7010505@FreeBSD.org>
References:  <CAHFU5H5WOnAXuFmfQEGkTvwoECATTCC3eKYE3yts%2BBqh1M_8ww@mail.gmail.com> <00000148ab969845-5940abcc-bb88-4111-8f7f-8671b0d0300b-000000@us-west-2.amazonses.com> <54243F0F.6070904@FreeBSD.org> <54244982.8010002@FreeBSD.org> <16EB2C50-FBBA-4797-83B0-FB340A737238@circl.lu> <542596E3.3070707@FreeBSD.org> <CAHcXP%2Bdx2etYgQPNiAxk2P68Z-4j%2BbTvdMoHfz%2BxKsBDKh9Z9g@mail.gmail.com> <5425999A.3070405@FreeBSD.org> <5425A548.9090306@FreeBSD.org> <5425D427.8090309@FreeBSD.org> <54298266.1090201@sentex.net> <5429851B.8060500@FreeBSD.org> <542AFC54.9010405@FreeBSD.org> <542B087D.3040903@FreeBSD.org> <CC9931CC-6BEA-4416-9546-42D6E49C1129@mac.com> <542B27FF.10204@sentex.net> <542B29C1.7010505@FreeBSD.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sep 30, 2014, at 3:08 PM, Jung-uk Kim <jkim@FreeBSD.org> wrote:
> On 2014-09-30 18:00:31 -0400, Mike Tancsa wrote:
>> On 9/30/2014 5:25 PM, Charles Swiger wrote:
>>> bash-3.2$ echo "Testing Exploit 4 (CVE-2014-7186)"
>>> Testing Exploit 4 (CVE-2014-7186)
>>> bash-3.2$ CVE7186="$(bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF
>>> <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' 2>/dev/null ||echo -n
>>> V)"
>>> bash-3.2$ [ "${CVE7186}" == "V" ] && echo "VULNERABLE" || echo "NOT
>>> VULNERABLE"
>>> NOT VULNERABLE
>>> 
>>> This being said, I'm not confident that there won't be further issues
>>> found with bash....
>>> 
>> 
>> What are people using to check these issues ?  I was using
>> 
>> https://github.com/hannob/bashcheck
>> 
>> Not sure if that gives false positives ?
> ...
> 
> Yes, it seems it does.
> 
> https://github.com/hannob/bashcheck/commit/5b611b36
> 
> Jung-uk Kim

Checking, and agreed.

bash -c "true $(printf '<<EOF %.0s' {1..70})" 2>/dev/null

...works OK, but this crashes with a SIGSEGV:

bash -c "true $(printf '<<EOF %.0s' {1..80})" 2>/dev/null

Seems to be blowing out a ~84K malloc buffer located just above the __TEXT page for /bin/bash; it's not blowing out the stack directly and isn't affected by changing ulimit -s.

Regards,
-- 
-Chuck

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7943146A-CB56-4744-BFB5-268B306D3738>