CVE-2014-6271 sshの例の攻撃?







You cannot circumvent authentication by exploiting this bug.

But SSH allows you to restrict what commands a user can run, e.g. by using ForceCommand in sshd_config. By exploiting this bug a user can circumvent this restriction and run any command she/he wants.


The bug occurs when bash gets executed with a specially crafted environment variable.

Remote exploitation over SSH is only possible when bash is executed. When the ForceCommand SSH option is in use, that command always gets executed using the login shell of the authenticated user (see the manual page of sshd_config).

Vulnerable configurations include public git services which normally restrict you to just running git commands. With this bug, you would be able to execute shell commands, bypassing the ForceCommand restriction. For a git daemon service, this could mean that you can access all repositories owned by the system user (bypassing access restrictions imposed by, say, gitolite).