29 Sep
2014
29 Sep
'14
6:58 a.m.
On 2014-09-28 15:47, Subrosa.io wrote:
I think this vulnerability should have been discovered with any kind of basic fuzzing.
If I understand the vulnerability correctly, it occurs in very specific circumstances, namely trailing data at the end of a function definition that's transported in an environment variable. In that case, I'd venture that *no* kind of "basic fuzzing" could have uncovered this; the proportion of ShellShock-inducing environment variable definitions among all possible environment variables is simply too small. What you would need instead is very specific syntax-directed fuzzing, and even then I'm not sure that you have a decent chance of discovering this without knowing already that it's there. Fun, Stephan