Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Thursday September 25 2014, @01:59AM   Printer-friendly
from the well,-that's-not-ideal dept.

Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.

This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.

This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.

The Ars also includes a simple single liner that will test your setup for the newly found discovery:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will output the following:

vulnerable
 this is a test

While a patched or unaffected system outputs:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

A patch is already out, so administrators are advised to update Bash.

Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".

$ env X='() { (a)=>\' sh -c "echo date"; cat echo

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Interesting) by Anonymous Coward on Thursday September 25 2014, @01:37AM

    by Anonymous Coward on Thursday September 25 2014, @01:37AM (#98005)

    Jesus Christ. This is a fucking disaster in every way.

    I think it's time for the GNU tools to be rewritten to use C++. Modern C++ let's us write code that's safe, high level (unlike cryptic 1970s-era C code that GNUers seem to love), and just about as efficient and portable as C code.

    GCC is already making the move. It's time for bash, coreutils, and the other projects to get into the present. C may have been the only practical option in the late 1980s, and even into the 1990s. But C++ is now mature, and it's just flat out a better option than C these days.

    Starting Score:    0  points
    Moderation   +2  
       Interesting=2, Total=2
    Extra 'Interesting' Modifier   0  

    Total Score:   2  
  • (Score: 4, Insightful) by Anonymous Coward on Thursday September 25 2014, @02:05AM

    by Anonymous Coward on Thursday September 25 2014, @02:05AM (#98023)

    How would C++ prevent this?

    • (Score: 1, Insightful) by Anonymous Coward on Thursday September 25 2014, @02:25AM

      by Anonymous Coward on Thursday September 25 2014, @02:25AM (#98039)

      It wouldn't in any way. This dude is trippin balls.

      • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @01:29PM

        by Anonymous Coward on Thursday September 25 2014, @01:29PM (#98208)

        I *think* he means use more modern ideas and practices. C++ does not get you that. Avoiding shortcuty language idioms does though. If its not clear it is hard to maintain. Take for example the libressl thing. They are going thru and refactoring. But a lot of what they are doing is yanking out 15 year old C compiler and CRT workarounds. Lots of bad decisions are falling out because of that. Not because of the language they are using. It is the same one.

        Picking one language over another does not get you good practices. In fact some languages teach you bad practices in other languages (ie learning garbage collection and then thinking its ok to do in C++). Each language has its own set of 'best practices'. Either you use them or bitch about them. Bitching gets you nothing other than wasted time.

        This is a case of someone did not sanitize the inputs. This is a problem in almost all languages. It is a design problem. Some languages make it harder to do but they all can do it. Especially when you are at the translation layer in your systems. Most SQL injection attacks do not attack the interpreter but the sql server on the other side by abusing the interpreter because it did not sanitize.

    • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @03:32AM

      by Anonymous Coward on Thursday September 25 2014, @03:32AM (#98068)

      Look at the patch. Look at what it fixes. They missed a case because they were using archaic C coding practices instead of writing modern C++. If that code were written in C++ the unhandled case would have been a lot more obvious and would have been caught during code reviews, before this faulty code went out to millions upon millions of systems across the globe.

      • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @10:45AM

        by Anonymous Coward on Thursday September 25 2014, @10:45AM (#98154)

        If that code were written in C++ the unhandled case would have been a lot more obvious and would have been caught during code reviews

        ROTFL... Pathetic.

  • (Score: 1, Funny) by Anonymous Coward on Thursday September 25 2014, @04:07AM

    by Anonymous Coward on Thursday September 25 2014, @04:07AM (#98081)

    Bjarne please go. Repeating the word "modern" over and over again won't change the fact that C++'s standard is a bloated mess that's almost impossible to implement and full of pitfalls. Besides, if you really cared for modernity you'd be advocating Rust, Go, or D instead.

    • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @12:18PM

      by Anonymous Coward on Thursday September 25 2014, @12:18PM (#98178)

      Rust? Go? D? Really?

      Rust, the language that's perpetually changing, where code you write today probably won't compile tomorrow? No thanks!

      Go, the language with bad garbage collection and an awful syntax? No thanks!

      D, the language with two standard libraries and that nobody actually uses? No thanks!

      C++ is the only practical alternative to C. The languages you've mentioned are just toys.

      • (Score: 2) by tangomargarine on Thursday September 25 2014, @02:49PM

        by tangomargarine (667) on Thursday September 25 2014, @02:49PM (#98255)

        No no, Go is the one with the flying, startled burrito for a mascot.

        --
        "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 2) by edIII on Friday September 26 2014, @01:25AM

        by edIII (791) on Friday September 26 2014, @01:25AM (#98454)

        You scream that C++ has no alternative, but then make the claim about D that has nothing to do with it.

        It's like saying TOR has some fundamental flaw that leads towards poor performance when it's almost purely an issue of participation.

        You offered a better explanation for the others.

        Do you really not want the D?

        --
        Technically, lunchtime is at any moment. It's just a wave function.
  • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @10:23AM

    by Anonymous Coward on Thursday September 25 2014, @10:23AM (#98152)

    I think it's time for the GNU tools to be rewritten to use C++. Modern C++ let's us write code that's safe, high level (unlike cryptic 1970s-era C code that GNUers seem to love), and just about as efficient and portable as C code.

    Bullshit. Obviously, all you know about IT comes from skimming titles on geek news websites (mostly without really understanding them).

    Don't turn in your geek card, because you were never given one.

  • (Score: 2) by tangomargarine on Thursday September 25 2014, @02:44PM

    by tangomargarine (667) on Thursday September 25 2014, @02:44PM (#98251)

    Modern C++ let's us write code that's safe, high level

    Does it also have grammar checking that would've caught that apostrophe?

    --
    "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"