CVE-2014-7186 Vulnerability?

  • Everywhere I've read online says that because pfSense doesn't run bash it's not susceptible to some of the shellshock exploits recently.  However, I do believe that packages somehow might include bash and cause pfSense to be vulnerable:

    You can see the basic that we should expect:

    [2.1.5-RELEASE][user@pfsense]/root(22): bash
    bash: Command not found.

    However, if you include the out-of-bounds exploit you can see the overflow still runs… even though the bash command isn't found:

    [2.1.5-RELEASE][user@pfsense]/root(26): bash -c 'true <<eof <<eof="" <<eof'="" ||="" echo="" "i="" am="" vulnerable"<br="">bash: Command not found.
    I am vulnerable</eof>

    Am I wrong?

  • LAYER 8 Netgate

    Yes, you're wrong.

    You're entering the equivalent of false || echo 'I am vulnerable' which will always print the text.  As will jashkjaskasdkjahsd || echo 'I am vulnerable'

    [2.2-RC][root@pfSenseA]/root: jashkjaskasdkjahsd || echo 'I am vulnerable'
    jashkjaskasdkjahsd: Command not found.
    I am vulnerable

  • Yep, you're right.  Thanks for pointing that out.

Log in to reply