Bugzilla – Bug 697808
%pipe% security issue
Last modified: 2017-04-27 07:24:40 PDT
MITRE has assigned CVE-2017-8291 to the shell injection. If the segmentation violation that is seen when executing this sample represents a second security issue, please let me know and I'll be happy to fill in the forms for another CVE.
I think the shell commands are a red herring, the type confusion in .rsdparams is the real issue (missing operand type check), which is used to disable SAFER.
It's a clever exploit. I don't know how I missed the .rsdparams bug when I was searching for missing type checks.
A more minimal testcase would be just 16#0x41414141 .rsdparams.
(see bug 697190 for an older example)
(without the 0x, sorry)
Oh, and .eqproc also needs to be fixed. Fun.
*** This bug has been marked as a duplicate of bug 697799 ***