<div dir="ltr"><div><span style="font-family:arial,sans-serif;font-size:13px">Believe it or not..</span><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">"What the....."</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">I've patched servers all afternoon...</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Bash (the program that is the command line where you type 'python') is actually vulnerable to injection attacks. If you're running a webserver, for example, you could be in trouble (environment variables through webserver headers can execute commands directly on machine).</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">To test:</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><pre style="white-space:pre-wrap;padding:0.5rem;font-family:Monaco,Menlo,Consolas,'Courier New',monospace;font-size:0.75rem;color:rgb(51,51,51);border-top-left-radius:4px;border-top-right-radius:4px;border-bottom-right-radius:4px;border-bottom-left-radius:4px;margin-top:0.5rem;margin-bottom:0.2rem;line-height:1.15rem;word-break:normal;word-wrap:break-word;border:1px solid rgba(0,0,0,0.14902);background:rgb(251,250,248)">prompt> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"</pre></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">This is bad:</div><div style="font-family:arial,sans-serif;font-size:13px"><pre style="white-space:pre-wrap;padding:0.5rem;font-family:Monaco,Menlo,Consolas,'Courier New',monospace;font-size:0.75rem;color:rgb(51,51,51);border-top-left-radius:4px;border-top-right-radius:4px;border-bottom-right-radius:4px;border-bottom-left-radius:4px;margin-top:0.5rem;margin-bottom:0.2rem;line-height:1.15rem;word-break:normal;word-wrap:break-word;border:1px solid rgba(0,0,0,0.14902);background:rgb(251,250,248)">vulnerable<br>this is a test</pre></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">This is good:</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><pre style="white-space:pre-wrap;padding:0.5rem;font-family:Monaco,Menlo,Consolas,'Courier New',monospace;font-size:0.75rem;color:rgb(51,51,51);border-top-left-radius:4px;border-top-right-radius:4px;border-bottom-right-radius:4px;border-bottom-left-radius:4px;margin-top:0.5rem;margin-bottom:0.2rem;line-height:1.15rem;word-break:normal;word-wrap:break-word;border:1px solid rgba(0,0,0,0.14902);background:rgb(251,250,248)"><p>bash: warning: x: ignoring function definition attempt</p><p>bash: error importing function definition for `x'</p><p>this is a test</p></pre></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px">Details:</div><div style="font-family:arial,sans-serif;font-size:13px"><br></div><div style="font-family:arial,sans-serif;font-size:13px"><div style="border-top-width:1px;border-top-style:solid;border-top-color:transparent;word-wrap:break-word;clear:both;padding:0px 2rem 0.1rem 3rem;font-family:Lato,sans-serif;font-size:15px;line-height:22px;color:rgb(61,60,64);margin-top:0.5rem"><span style="display:block;min-height:1rem">#86144 CVE-2014-6271: remote code execution through bash<span style="display:block;min-height:0.5rem"><i style="display:inline-block;vertical-align:baseline;min-height:0px;font-size:0px;float:left;background-repeat:no-repeat"><br></i></span><span style="display:block;min-height:0.5rem"><br><i style="display:inline-block;vertical-align:baseline;min-height:0px;font-size:0px;float:left;background-repeat:no-repeat"><br></i></span>omg:<br><a href="https://news.ycombinator.com/item?id=8361574" rel="noreferrer" target="_blank" style="color:rgb(42,128,185);text-decoration:none">https://news.ycombinator.com/item?id=8361574</a><span style="display:block;min-height:0.5rem"><i style="display:inline-block;vertical-align:baseline;min-height:0px;font-size:0px;float:left;background-repeat:no-repeat"><br></i></span>wtf:<br><a href="http://seclists.org/oss-sec/2014/q3/649" rel="noreferrer" target="_blank" style="color:rgb(67,159,224);outline:0px">http://seclists.org/oss-sec/2014/q3/649</a><span style="display:block;min-height:0.5rem"><i style="display:inline-block;vertical-align:baseline;min-height:0px;font-size:0px;float:left;background-repeat:no-repeat"><br></i></span>a good explanation:<br><a href="http://seclists.org/oss-sec/2014/q3/650" rel="noreferrer" target="_blank" style="color:rgb(42,128,185);text-decoration:none">http://seclists.org/oss-sec/2014/q3/650</a><span style="display:block;min-height:0.5rem"><i style="display:inline-block;vertical-align:baseline;min-height:0px;font-size:0px;float:left;background-repeat:no-repeat"><br></i></span></span></div><div style="border-top-width:1px;border-top-style:solid;border-top-color:transparent;word-wrap:break-word;clear:both;padding:0.25rem 2rem 0.1rem 3rem;font-family:Lato,sans-serif;font-size:15px;line-height:22px;color:rgb(61,60,64)"><i style="display:inline-block;vertical-align:baseline;min-height:0px;font-size:0px;float:left;background-repeat:no-repeat"><a href="https://repairpal.slack.com/team/mgrosso" target="_blank" style="color:rgb(104,75,108);text-decoration:none;word-break:break-word;font-weight:900;padding-right:0.25rem;margin-left:0px;font-style:normal">mgrosso</a><i style="display:inline-block;vertical-align:baseline;min-height:0px;float:left;background-repeat:no-repeat"></i></i><i style="display:inline-block;vertical-align:baseline;min-height:0px;font-size:0px;float:left;background-repeat:no-repeat">[1:26 PM]</i><span style="display:block;min-height:1rem">fyi.</span></div></div></div><div><br></div><br clear="all"><div><br></div>-- <br><div dir="ltr">







<p>"You grab mindshare by being there."</p><p>-- Alex Martelli <br></p><p>   Bay Area Python Interest Group Talk</p><p>   24-Oct, 2013<br></p></div>
</div>