-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-10-03, 23:14, cyryl wrote:

On 29/09/14 08:58, Stephan Neuhaus wrote:

...

On 2014-09-28 15:47, Subrosa.io wrote:

...

I think this vulnerability should have been discovered with any kind of basic fuzzing.

If I understand the vulnerability correctly, it occurs in very specific circumstances, namely trailing data at the end of a function definition that's transported in an environment variable.

In that case, I'd venture that *no* kind of "basic fuzzing" could have uncovered this; the proportion of ShellShock-inducing environment variable definitions among all possible environment variables is simply too small.

What you would need instead is very specific syntax-directed fuzzing, and even then I'm not sure that you have a decent chance of discovering this without knowing already that it's there.

To uncover more vulns lcamtuf fed the fuzzer with the initial state, but then left it there to do the work.

http://lcamtuf.blogspot.nl/2014/10/bash-bug-how-we-finally-cracked.html

Without

belittling the effort that's described in this article (after all, they found more vulnerabilities, which is good), I stand by my original point. If you want to fuzz the whole of bash, your chances of uncovering ShellShock are essentially nil. Once you know that function definitions transported in environment variables (a feature that I didn't even know existed, and I've been working with bash since the late 90's) are probably bug-ridden, your work becomes much, much easier. Fun, Stephan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (Darwin) iQEcBAEBAgAGBQJUL5mlAAoJEE0T/LJL2oHTGxgIAKuBg2aFEesnrAd4qWiGEqfx 0E6SWWkJLkYEGD4gDcMQW5XVUUP45kJdINKZFd/rFY3Ep47VXHJ0zD89XrP4YVHH +ujQMH4lF7+GLiVZ/tNYZCQ0k/t/9LBUS2bcvjuqIUxlmkzZN8UFFsD1L3/t+HDD LBAmRi28Z4TOREOdHRga9BdpAKTHy7I4toHoiiA3x1psJxwkqr9WD8C7CLABWCeC j6Gs1U5gqhCTOg0nz9DV8owuUJG1XqyOwApqC6hf1LZFWzr9WAR0G9Y+Xot4mdlJ 8s9Dkf9iEuN5nJpOPH9Hunhpoaxu8/B/TNYFvRYjE7zac3Icd8Hj3mu0TUc6RwY= =8VXa -----END PGP SIGNATURE-----