Is my understanding correct that in order to exploit via \"Shell Shock\", binary

Question

Is my understanding correct that in order to exploit via "Shell Shock", binary we influence needs to execute bash (and we need to have influence on command line)?

Therefore, am I correct, that if binary does not execute bash directly, and does not use system() system call (which uses shell for command evaluation), but, instead, calls helper programs via system calls from exec() family (or loads via dynamic loading like ld etc), than given binary is "shell shock" safe? (Of course it applies transitively, if we can influence how helper apps are calling their helper apps)

And if system exposes only such binaries to inputs from external world, that given system is "shell shock" safe ? (Therefore, checking for lack of system() calls and exec() calls of bash is good audit evaluation criteria?)

Explanation / Answer

Wrong on both counts.

In order to exploit the "shellshock" vulnerability, an attacker needs to control at least one environment variable (easy to do through CGI, SSH, or DHCP), and bash needs to be invoked at some point with the modified environment: directly as the result of an exec(), indirectly through system() or equivalent, highly indirectly through exec() of a helper app that in turn calls system(), and so on.

bash doesn't need to be invoked by name, either. On many systems, /bin/sh is a symbolic or hard link to /bin/bash, so running any script that starts with #!/bin/sh will result in bash being run.

Related Questions

Navigate

• Browse (All)
• Browse I
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.