Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169) - Red Hat Customer Portal

Red Hat has been made aware of a vulnerability affecting all versions of the bash package as shipped with Red Hat products. This vulnerability CVE-2014-6271 could allow for arbitrary code execution. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. Update: 2014-09-30 18:00 UTC Two new flaws have been repo

[RMS-099]

「env x='() { :;}; echo vulnerable' bash -c "echo this is a test"」を実行して、"vulnerable"が出力されてしまうと、脆弱性があることを示している。

[s_mori]

Shellshock

[wkubota]

後で読む