Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.
This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.
This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.
The Ars also includes a simple single liner that will test your setup for the newly found discovery:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
A vulnerable system will output the following:
vulnerable
this is a test
While a patched or unaffected system outputs:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
A patch is already out, so administrators are advised to update Bash.
Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
(Score: 2) by Nerdfest on Thursday September 25 2014, @02:01AM
Not just serious, but quite simple and easily exploitable. The funny this is that almost all the buffer overflows, bounds checks, unterminated string checks, etc, had been found, then something silly and obvious like this pops up. AT least we can be thankful that it's patched quickly.
(Score: 0) by Anonymous Coward on Thursday September 25 2014, @08:55AM
If it's remotely exploitable via dhclient I'd consider it an exploit in dhclient than bash.
Same for openssh.
(Score: 3, Insightful) by Geotti on Thursday September 25 2014, @01:03PM
It's exploitable via user interaction. Do you consider this to be an exploit in our DNA now?
SSHd, CGI & co. are vectors. The bug is in bash.
(Score: 2) by fnj on Friday September 26 2014, @09:33AM
Yes, maybe we COULD be thankful, except for one itsy bitsy problem. The patch doesn't fucking fix the vulnerability.
(Score: 2) by Nerdfest on Friday September 26 2014, @03:09PM
the first one fixed some, but was brittle. It's patched now and the release is still faster than what you'd see with any other OS I think.