Slashdot Mirror

← Back to Stories (view on slashdot.org)

Remote Exploit Vulnerability Found In Bash

Posted by Soulskill on from the don't-bash-bash dept.

kdryer39 sends this news from CSO: A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux, and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables. Also through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.

15 of 399 comments (clear)

  1. Full Disclosure can be found on oss-security... by Jizzbug · · Score: 5, Informative

    https://marc.info/?l=oss-security&m=141157106132018&w=2

    --

    -=/\- Jizzbug -/\=-
  2. Already fixed in Debian... by msauve · · Score: 5, Informative

    Linky

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:Already fixed in Debian... by Anonymous Coward · · Score: 2, Informative

      You probably tested with a command line that invokes bash explicitly. dash doesn't even have the feature that this exploit targets.

  3. Test string here: by B5_geek · · Score: 5, Informative

    This is the test to see if you are vulnerable:

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

    --
    "The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
    1. Re:Test string here: by B5_geek · · Score: 5, Informative

      SSH into your host.
      from the bash prompt just paste the above string.

      i.e.
      user@host $env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

      --------------------
      If you see:
      vulnerable
      this is a test
      Then you are vulnerable and need to update your system.

      If all you see is:
      this is a test

      Then you are ok.

      --
      "The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
    2. Re:Test string here: by chihowa · · Score: 4, Informative

      The (ancient) version of bash that ships with OS X appears vulnerable. Luckily, as a remote exploit, only authenticated ssh sessions and cgi scripts etc expose it, so most single user workstations (of all OSs) should be safe.

      If this is a bash exploit, and not a Linux exploit, why all of the focus on Linux in the article? I use bash on many different OSs.

      --
      If you want a vision of the future, imagine a youtube comments section scrolling - forever.
    3. Re:Test string here: by OzPeter · · Score: 5, Informative

      I just tried it on 2 different version s of OSX: 10.9.4 and 10.7.5 and confirm that they print out the "vulnerable" message

      --
      I am Slashdot. Are you Slashdot as well?
    4. Re:Test string here: by multiplexo · · Score: 4, Informative

      Most sshd daemons aren't configured to accept just any environment variables, they limit exposure with an AcceptEnv directive in the sshd configuration file (/etc/ssh/sshd_config on most Linux versions. This means that

      env x='() { :;}; echo vulnerable' ssh some_user@some_server

      probably won't work on most systems but

      env LC_FRED='() { :;}; echo vulnerable ssh some_user@some_server'

      will if the server is configured to accept the LC_* environment variables with the AcceptEnv directive in sshd_config.

      --
      cheap labor conservatives - they want to keep you hungry enough to be thankful for minimum wage.
  4. Re:So now it's the year of the Linux desktop by CRCulver · · Score: 4, Informative

    You do realize that bash is (nowadays) installed in damned near every *nix out there (though I think HPUX is still holding out.)

    Debian and a few other distros have long since switched to Dash as their /bin/sh. Openwrt uses ash (installing bash would require intentional effort), and I assume that many *nix devices with the Busybox environment in lieu of the traditional GNU toolset also eschew bash. Sure, bash is still common out there, but thankfully not as prominent as a decade ago, and even when present it might not be exposed to an attacking surface.

  5. You are mistaken. No input processing needed by raymorris · · Score: 3, Informative

    > Someone correct me if I'm mistaken, but doesn't this exploit depend on programs not validating input?

    Suppose you have pwd.cgi, which prints the name of the current directory:

    #!/bin/sh
    echo -e "Content-type: text/plain\n\n"
    pwd

    Notice the script uses no input at all. It is potentially vulnerable. Here's why. Suppose you did want to validate your input. You'd look at the contents of $QUERY_STRING, right? You can find what the user entered in the QUERY_STRING environment variable because bash puts it there. That's the step where the problem lies - bash can EXECUTE the contents of the query string while setting the environment variable. This occurs before the user's script even begins to run.

  6. Re:Missing in windows? by _xeno_ · · Score: 4, Informative

    I just updated Cygwin to the latest, and yes, it's still vulnerable. (At least its bash-4.1.10-4 is, I suppose it's possible that the mirror I'm using is out of date.)

    --
    You are in a maze of twisty little relative jumps, all alike.
  7. Not arbitrary variables - QUERY_STRING by raymorris · · Score: 5, Informative

    > Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process, well...you are already pretty compromised. If you wrote your CGI, then you are the one that compromised yourself.

    The contents of the CGI script don't matter. The exploit occurs before the script runs. It happens as bash is setting up the environment in which the script will be run.

    Suppose you have pwd.cgi, which prints the name of the current directory:

    #!/bin/sh
    echo -e "Content-type: text/plain\n\n"
    pwd

    Notice the script uses no input at all. It is potentially vulnerable. Here's why. Suppose you did want to validate your input. You'd look at the contents of $QUERY_STRING, right? You can find what the user entered in the QUERY_STRING environment variable because bash puts it there. That's the step where the problem lies - bash can EXECUTE the contents of the query string while setting the environment variable. This occurs before the user's script even begins to run.

    1. Re:Not arbitrary variables - QUERY_STRING by menkhaura · · Score: 4, Informative

      Setup a local cgi script on your Linux machine. Telnet into its port 80. Assuming your cgi script is at /cgi-bin/test.sh, type the following in the telnet prompt:


      GET /cgi-bin/um.pl HTTP/1.1
      Host: localhost
      Custom: () { :; }; while read -r l; do echo $l; done

      Press ENTER twice after the last header.

      If you don't use a shell builtin, the shell ends with a segfault and Apache shows an error, but the command is executed server-side. Scary.

      --
      Stupidity is an equal opportunity striker.
      Fellow slashdotter Bill Dog
  8. Re:yum: Could not find update match for bash by sosume · · Score: 3, Informative

    sudo mv /bin/bash /bin/woosh

  9. Detailed info from RedHat by Beeftopia · · Score: 3, Informative

    Example attacks are listed on Red Hat's security blog.