[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

Cameron Simpson cs at zip.com.au
Fri Sep 26 02:59:54 CEST 2014 

On 26Sep2014 09:40, Steven D'Aprano <steve at pearwood.info> wrote:
>On Fri, Sep 26, 2014 at 12:17:46AM +0200, Antoine Pitrou wrote:
>> On Thu, 25 Sep 2014 13:00:16 -0700
>> Bob Hanson <d2mp1a9 at newsguy.com> wrote:
>> > Critical bash vulnerability CVE-2014-6271 may affect Python on
>> > *n*x and OSX:
>[...]
>
>See also:
>http://adminlogs.info/2014/09/25/again-bash-cve-2014-7169/
>
>> Fortunately, Python's subprocess has its `shell` argument default to
>> False. However, `os.system` invokes the shell implicitly and is
>> therefore a possible attack vector.
>
>Perhaps I'm missing something, but aren't there easier ways to attack
>os.system than the bash env vulnerability? If I'm accepting and running
>arbitrary strings from an untrusted user, there's no need for them to go
>to the trouble of feeding me:
>
>"env x='() { :;}; echo gotcha'  bash -c 'echo do something useful'"
>
>when they can just feed me:
>
>"echo gotcha"
>
>In other words, os.system is *already* an attack vector, unless you only
>use it with trusted strings. I don't think the bash env vulnerability
>adds to the attack surface.
>
>Have I missed something?

Yes. Although it is possible to craft safe things for os.system, the issue is 
delivery of the attacks: plenty of totally standard things expose the shell to 
outside-supplied strings. And on most of those things, "the shell" is bash.

The issue with the bash-imports-functions-badly issue is that shell functions 
are exported through the environment. Other things use the environment to pass 
info.

The loud examples on the net are CGI scripts (query parameters passed through 
the environment, along with other things) and hostile DHCP servers (DHCP 
settings passed by the _client_ dhcpd to action scripts, as root).

Both of these let someone outside your system deliver bash-exploit strings to 
bash scripts.

Your cable/adsl modem? Probably an embedded Linux box, possibly using bash, and 
certainly a dhcp client of the ISP. Better still, for many people that same 
comprimisable modem is the DHCP _server_ for their home LAN...

Cheers,
Cameron Simpson <cs at zip.com.au>

Rebel without a clue, Born to be mild.
         - Kevin.Lowey at Usask.CA, DoD #0975

More information about the Python-Dev mailing list