2

I have installed Git for Windows with bash shell support. Is it vulnerable to ShellShock?

Refs:

rageit
  • 121
  • 1
  • 4

2 Answers2

2

The article you linked to clearly stated that it was vulnerable. However, it's pretty hard to leverage "shell shock" in "BASH" on Windows for git. You're still restricted to the users permissions, and their git code repository on their file system.

Additionally, there are far fewer attack vectors that exploit shell shock on Windows than on their *nix counterparts. I'd be gobsmacked if I saw a windows process invoke a bash shell.

  • 1
    You are also restricted to the user user invoking bash on *nix. The big difference is that while it's used everywhere on *nix, on Windows it won't be called too much on (some cygwin process). – Ángel Sep 26 '14 at 16:40
  • Could you clarify "restricted to the user user invoking bash"? And to be fair, if you have cygwin installed you will have a whole other instance of BASH on your system, along side the git bash for windows. With the functionality of cygwin, we start to see a lot more danger with running a BASH that is vulnerable to shell shock since the entire file system is accessible to us now. – theCowardlyFrench Sep 26 '14 at 16:59
1

Pretty sure it is. Check with Is there a short command to test if my server is secure against the shellshock bash bug?

Although on windows it is more difficult that an attacker is able to set an environment variable to a malicious value and that bash later gets executed with it.

Ángel
  • 18,188
  • 3
  • 26
  • 63