Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Thursday September 25 2014, @01:59AM   Printer-friendly
from the well,-that's-not-ideal dept.

Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.

This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.

This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.

The Ars also includes a simple single liner that will test your setup for the newly found discovery:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will output the following:

vulnerable
 this is a test

While a patched or unaffected system outputs:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

A patch is already out, so administrators are advised to update Bash.

Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".

$ env X='() { (a)=>\' sh -c "echo date"; cat echo

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Insightful) by Anonymous Coward on Thursday September 25 2014, @01:01AM

    by Anonymous Coward on Thursday September 25 2014, @01:01AM (#97990)

    This was in my updates already today!
    Now if this bug was in Windows, Adobe or Java - it would still be unfixed after 3 years.

    Starting Score:    0  points
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  

    Total Score:   1  
  • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @01:18AM

    by Anonymous Coward on Thursday September 25 2014, @01:18AM (#97998)

    only insensitive clods expose java to the internetz. And I don't even expose the other two: I have linux, and no flash, and pdf.js.

    • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @01:26AM

      by Anonymous Coward on Thursday September 25 2014, @01:26AM (#98001)

      Do you use a distro that has already switched to systemd? Do you know if it's safe yet?

      • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @01:43AM

        by Anonymous Coward on Thursday September 25 2014, @01:43AM (#98007)

        no, but I guess its safer, because:

        1. isolation. although being called monolithic, systemd does lots of cgroups stuff and so on.
        2. non-root X. X is the goatse of display managers. nonrooting it mitigates that.

        and its safe because:

        3. its "only" a PID 1. Its not exposed to the internet directly. If you have access to nonpriv'd users, you can already install a permanent keylogger (for them) in desktop linux.

        • (Score: 2) by Geotti on Thursday September 25 2014, @12:53PM

          by Geotti (1146) on Thursday September 25 2014, @12:53PM (#98189) Journal

          it's safe because [...] it's not exposed to the internet directly [emphasis added]

          I'll copy that to my notebook as quote of the year. Right next line after "They can spy all they want, I've got nothing to hide."

  • (Score: 2) by Tork on Thursday September 25 2014, @04:10AM

    by Tork (3914) Subscriber Badge on Thursday September 25 2014, @04:10AM (#98086)
    "This exploit shows how great my choice of OS is!". Mmm hm.
    --
    🏳️‍🌈 Proud Ally 🏳️‍🌈
    • (Score: 2) by Geotti on Thursday September 25 2014, @12:56PM

      by Geotti (1146) on Thursday September 25 2014, @12:56PM (#98191) Journal

      You think DOS doesn't have exploits?

      • (Score: 3, Insightful) by Tork on Thursday September 25 2014, @04:04PM

        by Tork (3914) Subscriber Badge on Thursday September 25 2014, @04:04PM (#98286)
        Are you going to skip patching your machine because DOS has exploits?
        --
        🏳️‍🌈 Proud Ally 🏳️‍🌈
        • (Score: 2) by Geotti on Saturday September 27 2014, @12:33PM

          by Geotti (1146) on Saturday September 27 2014, @12:33PM (#98878) Journal

          I don't like explaining jokes, so I'll just leave it at "whoosh!"

          • (Score: 2) by Tork on Sunday September 28 2014, @02:03AM

            by Tork (3914) Subscriber Badge on Sunday September 28 2014, @02:03AM (#99036)
            Ah... "I meant to do that.". Got it.
            --
            🏳️‍🌈 Proud Ally 🏳️‍🌈
    • (Score: 2, Interesting) by Hairyfeet on Thursday September 25 2014, @04:30PM

      by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Thursday September 25 2014, @04:30PM (#98300) Journal

      Gotta just love the logic disconnect, how they scream about every Windows bug but fucking cheer when they get yet more proof that "many eyes" is a load of horseshit...how many billions did heartbleed cost the planet? I rest my case. And folks wonder why I call 'em FOSSies, only ones more batshit are the Appleites, whom I've actually seen defend "you're holding it wrong" as a mark of superior design LOL!

      So can we officially call "many eyes" a myth that is busted now? Because there is not a single piece of software in Linux that has had more view the code than Bash and today we saw that was worth exactly jack and squat, because the simple fact is it requires eyes that can not ONLY do low level debug of the software itself but ALSO of anything it calls AND redoing the whole thing with each change and as we have seen that just ain't happening. IRL everybody is just assuming "well somebody HAD to have done it" but nobody can actually name these mythical somebodies. Source code isn't magical, and I bet my last dollar if one was to look at how many times the source is downloaded for all the little pieces that make up your average Linux distro probably half of it is NEVER looked at by anybody but the guys that actually support it.

      Show of hands, how many here have done a code audit of Gimp? Libre Office? Anybody here done a security audit of the Gecko engine that powers Firefox? And just think those are the most popular ones and for every one of those you have 30 "googly eyes" and font managers and other unsexy crap nobody ever thinks about. Many eyes probably worked....in 1993 when the entire OS along with the source fit on a single floppy, now that the kernel alone is something like 10 million LOC? Not a chance in hell, its a myth.

      --
      ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
      • (Score: 3) by No.Limit on Thursday September 25 2014, @05:54PM

        by No.Limit (1965) on Thursday September 25 2014, @05:54PM (#98340)

        I kinda agree with you that non-FOSS software gets bashed too hard over security holes (though with non-FOSS software you have no chance to fix it, while with FOSS software you can. Whether one is more secure than the other is quite hard to tell).

        However, doing a conclusion from just one horrific example just isn't scientific. So no, the 'many eyes' myth isn't busted now.
        It's much rather the case that the 'many eyes' argument isn't even proven in the first place. So we can simply see it as a theory that sounds logical, but isn't necessarily true. And here we have another indicator against it.

        Technically, all we can say is that neither FOSS nor non-FOSS software is secure. But that's not really useful for people that want to compare the security of the two ideologies.

        • (Score: 2) by Hairyfeet on Friday September 26 2014, @12:22AM

          by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Friday September 26 2014, @12:22AM (#98446) Journal

          It doesn't even SOUND logical if you take more than 5 seconds to think about it, yet its trotted out as a fucking FEATURE of Linux and FOSS! Right now the plans for the MIG15 are online, why don't you build me one and have it ready by Thursday....what is that? you don't have the skills nor the manpower? DING DING DING we have a winner johnny!

          Handing somebody like ohh say me or you, whom I assume don't have a masters in CompSci and 15+ years in low level C coding under your belt? Worthless, completely fucking worthless, yet because Joe "I don't know jack shit more than I learnt in that VB class I took 15 years ago" Blow can download the source for bash this somehow magically means that somebody with the skills of a Bruce Schneier has done and continues to do in depth code audits of the same code.....WTF? this is as batshit as saying "Because vampires COULD exist and there are people that disappear forever each year that means vampires DO exist and are turning people"....doesn't matter that we have exactly ZERO evidence this is going on, no proof whatsoever that this is happening, the simple fact that it COULD happen means that it IS happening.

          So I'm sorry but they can waste modpoints all they want I'm throwing a flag, delusional bullshit on the field! We have seen exactly ZERO evidence of "many eyes" happening and a mountain of evidence that many eyes is bullshit, because if it were real why is there major exploitable bugs being found in this software that if many eyes were real should have been vetted a hundred times over...hmm? Remember folks source code isn't magical despite what the more batshit FOSSies would have you believe, it doesn't magically perform code audits on itself, it doesn't magically give you the skils to debug itself AND the things it calls AND anything calling it, in fact we can only show with any certainty ONE and only ONE benefit to having source and that is the fact that IF a piece of software is abandoned AND you can build up a team to support it you CAN keep it afloat. We have evidence of this with KDE 3 so this is something we can say with certainty is possible? many eyes? We have the same amount of evidence for many eyes being real as we do for alien abduction, namely anecdotes and bullshit.

          --
          ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
  • (Score: 2) by choose another one on Thursday September 25 2014, @08:02AM

    by choose another one (515) Subscriber Badge on Thursday September 25 2014, @08:02AM (#98129)

    You do know, having looked at the vulnerable versions, that this bug is over 20 years old, right ?

  • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @09:03PM

    by Anonymous Coward on Thursday September 25 2014, @09:03PM (#98407)

    You mean the various patches that have been found not to actually fix it?

    This isn't a fucking ego-trip about OS or a circle-jerk about how fucking *wonderful* your facile choice of OS is. This is a bug that affects about twenty accumulative years' worth of Unix OSs (and any Windows that happens to have Bash on it as well). It's to be fixed, not to be used by some smug adolescent prick to fallaciously justify his choice of OS as wank fodder.

    Grow the fucking hell up, for God's sake. Seriously, and without any intent towards flamebait, just fucking Grow. Up. You're pathetic.