Remote Exploit Vulnerability Found In Bash

← Back to Stories (view on slashdot.org)

Remote Exploit Vulnerability Found In Bash

Posted by Soulskill on Wednesday September 24, 2014 @05:12AM from the don't-bash-bash dept.

kdryer39 sends this news from CSO: A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux, and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables. Also through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.

6 of 399 comments (clear)

Min score:

Reason:

Sort:

Full Disclosure can be found on oss-security... by Jizzbug · 2014-09-24 05:17 · Score: 5, Informative

https://marc.info/?l=oss-security&m=141157106132018&w=2

--

-=/\- Jizzbug -/\=-
Already fixed in Debian... by msauve · 2014-09-24 05:28 · Score: 5, Informative

Linky

--
"National Security is the chief cause of national insecurity." - Celine's First Law
Test string here: by B5_geek · 2014-09-24 05:41 · Score: 5, Informative

This is the test to see if you are vulnerable: env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

--
"The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
1. Re:Test string here: by B5_geek · 2014-09-24 06:00 · Score: 5, Informative
  
  SSH into your host.
  from the bash prompt just paste the above string.
  i.e.
  user@host $env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  --------------------
  If you see:
  vulnerable
  this is a test
  Then you are vulnerable and need to update your system.
  If all you see is:
  this is a test
  Then you are ok.
  
  --
  "The price good men pay for indifference to public affairs is to be ruled by evil men." ~Plato (427-347 BC)
2. Re:Test string here: by OzPeter · 2014-09-24 06:22 · Score: 5, Informative
  
  I just tried it on 2 different version s of OSX: 10.9.4 and 10.7.5 and confirm that they print out the "vulnerable" message
  
  --
  I am Slashdot. Are you Slashdot as well?
Not arbitrary variables - QUERY_STRING by raymorris · 2014-09-24 07:29 · Score: 5, Informative

> Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process, well...you are already pretty compromised. If you wrote your CGI, then you are the one that compromised yourself.
The contents of the CGI script don't matter. The exploit occurs before the script runs. It happens as bash is setting up the environment in which the script will be run.
Suppose you have pwd.cgi, which prints the name of the current directory:
#!/bin/sh
echo -e "Content-type: text/plain\n\n"
pwd
Notice the script uses no input at all. It is potentially vulnerable. Here's why. Suppose you did want to validate your input. You'd look at the contents of $QUERY_STRING, right? You can find what the user entered in the QUERY_STRING environment variable because bash puts it there. That's the step where the problem lies - bash can EXECUTE the contents of the query string while setting the environment variable. This occurs before the user's script even begins to run.