Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Thursday September 25 2014, @01:59AM   Printer-friendly
from the well,-that's-not-ideal dept.

Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.

This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.

This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.

The Ars also includes a simple single liner that will test your setup for the newly found discovery:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will output the following:

vulnerable
 this is a test

While a patched or unaffected system outputs:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

A patch is already out, so administrators are advised to update Bash.

Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".

$ env X='() { (a)=>\' sh -c "echo date"; cat echo

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by Anonymous Coward on Thursday September 25 2014, @01:24AM

    by Anonymous Coward on Thursday September 25 2014, @01:24AM (#98000)

    I'll be honest, this scares the living shit out of me.

    Here we have bash, one of the oldest, most widely used pieces of GNU software out there. It's mature, it has seen lots of use, and its code has been picked through for decades now, yet still a serious bug like this can exist in it.

    If software as mature and inspected as bash can have a flaw like this, then just think how many flaws could exist in newer and much less mature, yet still foundational, software like, say, systemd.

    The major distros need to say "STOP!" to the efforts to integrate systemd. Especially Debian. Nobody should be integrating software like systemd into a distro until it has gone a very thorough review.

    If Fedora and Red Hat really feel the need to integrate systemd, then let them. Let their users suffer first. But Debian and Ubuntu users should not be subjected to systemd until it is a proven technology, if it even ever manages to get to that point.

    Bash has long been thought to be a stable, robust, reliable piece of software. And generally it has been. But if even it can have serious flaws like this, it really should make us all think twice or even thrice about using systemd.

    Starting Score:    0  points
    Moderation   +5  
       Insightful=4, Interesting=1, Total=5
    Extra 'Insightful' Modifier   0  

    Total Score:   5  
  • (Score: 2) by Nerdfest on Thursday September 25 2014, @02:01AM

    by Nerdfest (80) on Thursday September 25 2014, @02:01AM (#98017)

    Not just serious, but quite simple and easily exploitable. The funny this is that almost all the buffer overflows, bounds checks, unterminated string checks, etc, had been found, then something silly and obvious like this pops up. AT least we can be thankful that it's patched quickly.

    • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @08:55AM

      by Anonymous Coward on Thursday September 25 2014, @08:55AM (#98138)
      how exploitable is it really?

      If it's remotely exploitable via dhclient I'd consider it an exploit in dhclient than bash.

      Same for openssh.
      • (Score: 3, Insightful) by Geotti on Thursday September 25 2014, @01:03PM

        by Geotti (1146) on Thursday September 25 2014, @01:03PM (#98195) Journal

        It's exploitable via user interaction. Do you consider this to be an exploit in our DNA now?

        SSHd, CGI & co. are vectors. The bug is in bash.

    • (Score: 2) by fnj on Friday September 26 2014, @09:33AM

      by fnj (1654) on Friday September 26 2014, @09:33AM (#98523)

      AT least we can be thankful that it's patched quickly.

      Yes, maybe we COULD be thankful, except for one itsy bitsy problem. The patch doesn't fucking fix the vulnerability.

      • (Score: 2) by Nerdfest on Friday September 26 2014, @03:09PM

        by Nerdfest (80) on Friday September 26 2014, @03:09PM (#98587)

        the first one fixed some, but was brittle. It's patched now and the release is still faster than what you'd see with any other OS I think.

  • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @02:01AM

    by Anonymous Coward on Thursday September 25 2014, @02:01AM (#98018)

    Hey, a rant from an Anonymous Coward! We should all pay attention!

    • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @02:06AM

      by Anonymous Coward on Thursday September 25 2014, @02:06AM (#98024)

      Yes, you're right, we should pay attention. Everything the GP says is correct.

      • (Score: 1, Insightful) by Anonymous Coward on Thursday September 25 2014, @02:10AM

        by Anonymous Coward on Thursday September 25 2014, @02:10AM (#98028)

        Everything he says if FUD with no substance.

        • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @02:13AM

          by Anonymous Coward on Thursday September 25 2014, @02:13AM (#98031)

          Wrong-o, my dear friend. Bash is mature software. Systemd is young, immature software. If Bash can suffer from defects like this, then so can Systemd. We are more likely to find a problem in Systemd because it hasn't been checked as extensively as Bash has been. That earlier commenter is right: this is a dangerous situation and we all should be very worried!

          • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @02:18AM

            by Anonymous Coward on Thursday September 25 2014, @02:18AM (#98035)

            In that case, you should be worried to turn on your computer at all.

            • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @02:24AM

              by Anonymous Coward on Thursday September 25 2014, @02:24AM (#98037)

              I was so worried that I installed OpenBSD earlier today. I'm done with Linux. I'm done with the risk of systemd. I'm done with bash. I'm only using OpenBSD from now on, because I value my security.

              • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @03:29AM

                by Anonymous Coward on Thursday September 25 2014, @03:29AM (#98065)

                if you are unable to use linux without systemd, i pity you

                • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @03:34AM

                  by Anonymous Coward on Thursday September 25 2014, @03:34AM (#98069)

                  I'm about to switch to FreeBSD, too. I don't want to install Debian on my new system only to find out a couple of months from now that an upgrade will unexpectedly install systemd and my system will be busted. Even the risk of systemd eventually getting installed is just too great. At least I know that the BSD devs won't be stupid enough to adopt it.

                  • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @06:54AM

                    by Anonymous Coward on Thursday September 25 2014, @06:54AM (#98118)

                    Oh yeah? Well I just installed M$ DOS 1.0 and it's WONDERFUL!!111

                    • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @11:48AM

                      by Anonymous Coward on Thursday September 25 2014, @11:48AM (#98163)

                      At least it doesn't include systemd. That makes it better than Fedora.

                    • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @01:38PM

                      by Anonymous Coward on Thursday September 25 2014, @01:38PM (#98213)

                      Really? It can read your SATA HDD? It can read your USB sticks? Do you even have a floppy disk drive to boot from? (Are 3.5" floppy disk drives actually supported by MS DOS 1.0, or do you need a 5.25" one?)

                      • (Score: 2) by cafebabe on Thursday September 25 2014, @01:53PM

                        by cafebabe (894) on Thursday September 25 2014, @01:53PM (#98218) Journal

                        (Are 3.5" floppy disk drives actually supported by MS DOS 1.0, or do you need a 5.25" one?)

                        They look the same to a host.

                        --
                        1702845791×2
              • (Score: 2) by tangomargarine on Thursday September 25 2014, @02:38PM

                by tangomargarine (667) on Thursday September 25 2014, @02:38PM (#98248)

                Because I'm sure dash or csh or zsh or whatever is so much more secure and well-written than bash...

                --
                "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
                • (Score: 2) by FatPhil on Thursday September 25 2014, @06:59PM

                  by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Thursday September 25 2014, @06:59PM (#98365) Homepage
                  Even without inspecting the code, I'm sure that dash and zsh are indeed more secure than bash.

                  How do I know this with the certainty that I do? Because the rate of bugs per line of code is remarkably constant, and there's more code in bash, so likely more bugs.
                  --
                  Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    • (Score: 2) by tangomargarine on Thursday September 25 2014, @02:35PM

      by tangomargarine (667) on Thursday September 25 2014, @02:35PM (#98243)

      If you automatically dismiss every post from an AC, you'll miss out on a few gems. Can't we quit it with the "AC STFU" knee-jerk reactions already?

      --
      "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 2) by fnj on Friday September 26 2014, @09:39AM

        by fnj (1654) on Friday September 26 2014, @09:39AM (#98524)

        We'll quit dissing no-account cowards when the lazy bums get off their ass and sign up for an account, and then put their fragile egos on the line by making signed posts.

        P.S., I do read cowards because I don't want to hide safely behind mommy's apron. But I will never quit making fun of the sniveling lightweights.

    • (Score: 2) by FatPhil on Thursday September 25 2014, @07:44PM

      by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Thursday September 25 2014, @07:44PM (#98378) Homepage
      Calm down, Lennart!
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
  • (Score: 3, Interesting) by NotInHere on Thursday September 25 2014, @02:10AM

    by NotInHere (4753) on Thursday September 25 2014, @02:10AM (#98029)

    Back in the time bash was written, we didn't know that security holes are this important. Or nobody had in mind their software gets used in 2014. X for example had some issues with >4G buffers being exchanged. In the "who needs more than 64k" era this might have been secure, but now it isn't. New (good) software actually tries to avoid holes. really tries. And we never get most software hole-free. Most important thing is that when a hole is used, we find out about that and fix it very fast.

    • (Score: 3, Insightful) by bd on Thursday September 25 2014, @11:50AM

      by bd (2773) on Thursday September 25 2014, @11:50AM (#98164)

      Much of the development of X was done before the morris worm in 1988, which I think was a pivotal moment in the perception of the importance of security in networked computer systems. The first release of bash was in 1989, after the morris worm, when people knew security holes are important. The core of the GNU system was subject to intense code review attention during the 1990's, when much of its development was done.

      Still, I think the GNU system has one core weakness when compared to e.g. OpenBSD, which would seem to be the willingness to add complexity. GNU utilities always tend to include a large amount of features that are not strictly necessary and a lot of code neccessary to achieve broad portability. That makes code review more complex and increases the likelyhood of something incredibly stupid slipping through. Especially as the complexity of a program that a code reviewer can actually grasp is incredibly small in comparison to typical lines of code in a software project.

      This mindset is not restricted to GNU of course. The transition from Apache 1 to Apache 2 being one example, sendmail, OpenSSL etc. also come to mind here. And systemd fits perfectly into this narrative. A piece of software written in an incredibly complex way for a simple task, at a highly vulnerable position in the overall operating system stack. What could possibly go wrong?

  • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @05:03AM

    by Anonymous Coward on Thursday September 25 2014, @05:03AM (#98094)

    The major distros need to say "STOP!" to the efforts to integrate systemd. Especially Debian. Nobody should be integrating software like systemd into a distro until it has gone a very thorough review.

    If Fedora and Red Hat really feel the need to integrate systemd, then let them. Let their users suffer first. But Debian and Ubuntu users should not be subjected to systemd until it is a proven technology, if it even ever manages to get to that point.

    Bash has long been thought to be a stable, robust, reliable piece of software.

    I don't think anybody was ever under the impression that Bash was a bastion of security. War tested as much as anything common- sure, but there were no illusions about it's level of complexity adding to threat surfaces.

    As for Debuntu- from my understanding, only users who opt for a default desktop configuration in the next major release will see this. I think you ought to take a step back from your rhetoric that makes it sound like everyone is being forced to use systemd. There are a million linux distros out there, not to mention plenty of Debuntu users interested in holding off on systemd for various amounts of time. This isn't like the government mandating a kill switch in phones that users can't opt out of. There is plenty of choice for everyone of our opinion that systemd could use more settling before the levels of adoption that it currently seems to enjoy. Of course, bash bugs like this don't really help systemd's case in that argument IMO. I.e. an init system relying on bash now looks a notch less attractive due to this bug. Which only increases the relative stature of systemd through no aspect of its self.

    • (Score: 2) by MrNemesis on Thursday September 25 2014, @11:56AM

      by MrNemesis (1582) on Thursday September 25 2014, @11:56AM (#98168)

      I did a bare-minimum install from the latest jessie netinstall image the other day and systemd is now in there as default init regardless of whether you choose to install an X server or any DE (and you can't apt-pin it away on a new install like I have on my existing systems).

      IIRC, init scripts on debian have been using /bin/dash as default /bin/sh for quite some time because it's faster and lighter weight than bash.

      --
      "To paraphrase Nietzsche, I have looked into the abyss and been sick in it."
  • (Score: 1) by DNied on Thursday September 25 2014, @10:10AM

    by DNied (3409) on Thursday September 25 2014, @10:10AM (#98150)

    Here we have bash, one of the oldest, most widely used pieces of GNU software out there. It's mature, it has seen lots of use, and its code has been picked through for decades now, yet still a serious bug like this can exist in it.

    Yes, but who uses bash for CGI scripts? The real-world scenarios for this kind of exploit are so limited in practice, that the bug could live in the code for years and not really cause havoc.

    Note how it hasn't been discovered after an attack.

    • (Score: 2) by choose another one on Thursday September 25 2014, @06:32PM

      by choose another one (515) Subscriber Badge on Thursday September 25 2014, @06:32PM (#98350)

      Note that it hasn't been discovered after an attack that we know about.

      Also, exploits are now in the wild and attacks being reported, Git servers currently a known target - guess that is a "limited" real world scenario ?

    • (Score: 2) by FatPhil on Thursday September 25 2014, @06:56PM

      by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Thursday September 25 2014, @06:56PM (#98362) Homepage
      Who uses bash for CGI scripts? Anyone who uses perl for CGI scripts that use certain common functions, that's who.

      And just because your script doesn't use them, that doesn't mean that one of the modules you use doesn't contain such code.

      > Note how it hasn't been discovered after an attack.

      That we know of. Ignorance is not bliss.
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
  • (Score: 2) by Justin Case on Thursday September 25 2014, @11:50AM

    by Justin Case (4239) on Thursday September 25 2014, @11:50AM (#98165) Journal

    But... systemd is NEW and... um... you don't want the Russians to get to the moon before WE do, do you?

    Communist!

  • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @01:26PM

    by Anonymous Coward on Thursday September 25 2014, @01:26PM (#98206)

    >Bash has long been thought to be a stable, robust, reliable piece of software.

    As a scripting language BASH is a POSH that makes it a real pain to write anything other that a | b |c.

    • (Score: 2) by tangomargarine on Thursday September 25 2014, @02:41PM

      by tangomargarine (667) on Thursday September 25 2014, @02:41PM (#98249)

      is a POSH

      Piece of Shit...Head? The only halfway-reasonable results I get from Acronym Finder are "Plain Old Semantic HTML" or "People Of Stupid Habits."

      --
      "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
  • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @09:09PM

    by Anonymous Coward on Thursday September 25 2014, @09:09PM (#98408)

    Are you trying to imply that Debian is a "major distro" but Red Hat isn't? I hate to break this to you, but Red Hat is the most profitable distribution out there - one of the very few companies making money out of Linux - while Debian is in commercial terms a total irrelevance. The fact you seem to think that Red Hat are pushing bleeding edge but "Ubuntu users" shouldn't "be subjected" to it is a pretty good sign of your utter ignorance -- RHEL is almost absurdly conservative, while Ubuntu has frequently, and without the slightest compunction, broken users' machines with bleeding edge changes.