Re: Testing for Shellshock ... combinatorics and latest(Shellshock) Bash Vulnerability...(attn: Chet Ramey)

[Chet Ramey]

On 10/9/14, 3:46 PM, Rick Karcich (rkarcich) wrote:
> Hello Chet,
> 
> Re: testing for Shellshock...  would like your feedback... specifically, 
> regarding the possibility of human-directed combinatorial testing to find 
> this Bash vulnerability...
> 
> Given the knowledge about Shellshock that's been developed, I'm wanting to 
> define more of the attack surface for Shellshock - and put this into an input 
> model for combinatorial testing...

It's not clear that this problem would have been appropriate for automated
testing.  It was code that did what was intended: the problem is that it
was invoked in (remotely-triggered) contexts that were unintended.

The triggering condition was the appropriately-formatted environment
variable.  The issue that made it dangerous was that there were
circumstances under which remote users could specify values that were
turned into environment variables by applications that ended up invoking
bash.  In a local environment, it was a non-issue: a clever way to execute
commands bash would have let you execute in a more straightforward way.

If your attack surface is the shell parser, then you can just run

bash -nc 'randomly-generated-string'

all day long and see what happens.

Chet

-- 
``The lyf so short, the craft so long to lerne.'' - Chaucer
                 ``Ars longa, vita brevis'' - Hippocrates
Chet Ramey, ITS, CWRU    chet@case.edu    http://cnswww.cns.cwru.edu/~chet/