Just as Linux developers and Apple implement a slew of patches for the Shellshock vulnerability in Bash, researchers have developed proof-of-concept test cases for two serious, previously non-public Bash bugs.
The original vulnerability was reported privately and kept under embargo for roughly two weeks to develop a fairly conservative fix. But researcher Michael Zalewski has uncovered the CVE-2014-6278 vulnerability, which replicates the original issue. The payload allows straightforward "put-your-commands-here" remote code execution on systems that are protected only with the original patch.
“Systems that relied solely on the original fix will be vulnerable to attacks and need to be updated again,” Zalewski said in his blog. If systems have been updated with a separate fix from Red Hat engineer Florian Weimer though, they “are almost certainly not vulnerable to attacks.”
The fallibility of the original patch is “something that we were worried about for a while, and what prompted us to ask people to update again over the past few days,” he added.
The second vulnerability, (CVE-2014-7169), convinces the parser to keep looking for a file name for output redirection past the boundary between the untrusted string accepted from the environment and the actual body of the program that Bash is being asked to execute. This means that systems would be at risk of remote code execution in situations where attacker-controlled environmental variables are mixed with sanitized, attacker-controlled command-line parameters.
“It would probably have been helpful if the questionable nature of the original patch was spotted by any of the notified vendors during the two-week embargo period,” said Zalewski. “That said, I wasn't privy to these conversations - and hindsight is always 20/20.”