Stories
Slash Boxes
Comments

SoylentNews is people

Bash Widespread Vulnerability Discovered

posted by n1 on Thursday September 25 2014, @01:59AM   Printer-friendly
from the well,-that's-not-ideal dept.

DECbot writes:

Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.

This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.

This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.

The Ars also includes a simple single liner that will test your setup for the newly found discovery:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will output the following:

vulnerable
 this is a test

While a patched or unaffected system outputs:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

A patch is already out, so administrators are advised to update Bash.

Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".

$ env X='() { (a)=>\' sh -c "echo date"; cat echo

 
This discussion has been archived. No new comments can be posted.
Bash Widespread Vulnerability Discovered | Log In/Create an Account | Top | 119 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1) by b on Thursday September 25 2014, @01:45AM

    by b (2121) on Thursday September 25 2014, @01:45AM (#98008)

    This was patched in Arch about 10 hours ago, 5 hours before the Ars article was published. I can confirm that the previous version (4.3.024-1) contains the vulnerability, while the new version (4.3.024-2) does not.

  • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @01:46AM

    by Anonymous Coward on Thursday September 25 2014, @01:46AM (#98011)

    Does it contain the vulnerabilities described at https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23 [redhat.com]?

    • (Score: 1) by J053 on Thursday September 25 2014, @01:55AM

      by J053 (3532) <{dakine} {at} {shangri-la.cx}> on Thursday September 25 2014, @01:55AM (#98015) Homepage
      I don't know about Arch, but this vulnerability is fixed in RHEL 6 and 7 (bash-4.1.2-15.el6_5.1 and bash-4.2.45-5.el7_0.2):

      % env -i  X='() { (a)=>\' bash -c 'echo date'; cat echo
      bash: X: line 1: syntax error near unexpected token `='
      bash: X: line 1: `'
      bash: error importing function definition for `X'
      Wed Sep 24 15:52:11 HST 2014

      • (Score: 5, Informative) by Anonymous Coward on Thursday September 25 2014, @02:03AM

        by Anonymous Coward on Thursday September 25 2014, @02:03AM (#98019)

        That returned the date, showing that it is NOT fixed.

    • (Score: 1) by b on Thursday September 25 2014, @02:10AM

      by b (2121) on Thursday September 25 2014, @02:10AM (#98027)

      Yes, unfortunately it does contain those vulnerabilities.

      • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @02:15AM

        by Anonymous Coward on Thursday September 25 2014, @02:15AM (#98033)

        Shiiiiiiiiiiiiiiiiiiiit. This is not good at all!

      • (Score: 1) by b on Friday September 26 2014, @08:55AM

        by b (2121) on Friday September 26 2014, @08:55AM (#98518)

        And now Arch has patched this vulnerability too.