Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.
This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.
This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.
The Ars also includes a simple single liner that will test your setup for the newly found discovery:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
A vulnerable system will output the following:
vulnerable
this is a test
While a patched or unaffected system outputs:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
A patch is already out, so administrators are advised to update Bash.
Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
(Score: 0) by Anonymous Coward on Thursday September 25 2014, @01:18AM
only insensitive clods expose java to the internetz. And I don't even expose the other two: I have linux, and no flash, and pdf.js.
(Score: 0) by Anonymous Coward on Thursday September 25 2014, @01:26AM
Do you use a distro that has already switched to systemd? Do you know if it's safe yet?
(Score: 0) by Anonymous Coward on Thursday September 25 2014, @01:43AM
no, but I guess its safer, because:
1. isolation. although being called monolithic, systemd does lots of cgroups stuff and so on.
2. non-root X. X is the goatse of display managers. nonrooting it mitigates that.
and its safe because:
3. its "only" a PID 1. Its not exposed to the internet directly. If you have access to nonpriv'd users, you can already install a permanent keylogger (for them) in desktop linux.
(Score: 2) by Geotti on Thursday September 25 2014, @12:53PM
it's safe because [...] it's not exposed to the internet directly [emphasis added]
I'll copy that to my notebook as quote of the year. Right next line after "They can spy all they want, I've got nothing to hide."