Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Thursday September 25 2014, @01:59AM   Printer-friendly
from the well,-that's-not-ideal dept.

Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.

This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.

This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.

The Ars also includes a simple single liner that will test your setup for the newly found discovery:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will output the following:

vulnerable
 this is a test

While a patched or unaffected system outputs:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

A patch is already out, so administrators are advised to update Bash.

Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".

$ env X='() { (a)=>\' sh -c "echo date"; cat echo

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @02:01AM

    by Anonymous Coward on Thursday September 25 2014, @02:01AM (#98018)

    Hey, a rant from an Anonymous Coward! We should all pay attention!

  • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @02:06AM

    by Anonymous Coward on Thursday September 25 2014, @02:06AM (#98024)

    Yes, you're right, we should pay attention. Everything the GP says is correct.

    • (Score: 1, Insightful) by Anonymous Coward on Thursday September 25 2014, @02:10AM

      by Anonymous Coward on Thursday September 25 2014, @02:10AM (#98028)

      Everything he says if FUD with no substance.

      • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @02:13AM

        by Anonymous Coward on Thursday September 25 2014, @02:13AM (#98031)

        Wrong-o, my dear friend. Bash is mature software. Systemd is young, immature software. If Bash can suffer from defects like this, then so can Systemd. We are more likely to find a problem in Systemd because it hasn't been checked as extensively as Bash has been. That earlier commenter is right: this is a dangerous situation and we all should be very worried!

        • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @02:18AM

          by Anonymous Coward on Thursday September 25 2014, @02:18AM (#98035)

          In that case, you should be worried to turn on your computer at all.

          • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @02:24AM

            by Anonymous Coward on Thursday September 25 2014, @02:24AM (#98037)

            I was so worried that I installed OpenBSD earlier today. I'm done with Linux. I'm done with the risk of systemd. I'm done with bash. I'm only using OpenBSD from now on, because I value my security.

            • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @03:29AM

              by Anonymous Coward on Thursday September 25 2014, @03:29AM (#98065)

              if you are unable to use linux without systemd, i pity you

              • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @03:34AM

                by Anonymous Coward on Thursday September 25 2014, @03:34AM (#98069)

                I'm about to switch to FreeBSD, too. I don't want to install Debian on my new system only to find out a couple of months from now that an upgrade will unexpectedly install systemd and my system will be busted. Even the risk of systemd eventually getting installed is just too great. At least I know that the BSD devs won't be stupid enough to adopt it.

                • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @06:54AM

                  by Anonymous Coward on Thursday September 25 2014, @06:54AM (#98118)

                  Oh yeah? Well I just installed M$ DOS 1.0 and it's WONDERFUL!!111

                  • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @11:48AM

                    by Anonymous Coward on Thursday September 25 2014, @11:48AM (#98163)

                    At least it doesn't include systemd. That makes it better than Fedora.

                  • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @01:38PM

                    by Anonymous Coward on Thursday September 25 2014, @01:38PM (#98213)

                    Really? It can read your SATA HDD? It can read your USB sticks? Do you even have a floppy disk drive to boot from? (Are 3.5" floppy disk drives actually supported by MS DOS 1.0, or do you need a 5.25" one?)

                    • (Score: 2) by cafebabe on Thursday September 25 2014, @01:53PM

                      by cafebabe (894) on Thursday September 25 2014, @01:53PM (#98218) Journal

                      (Are 3.5" floppy disk drives actually supported by MS DOS 1.0, or do you need a 5.25" one?)

                      They look the same to a host.

                      --
                      1702845791×2
            • (Score: 2) by tangomargarine on Thursday September 25 2014, @02:38PM

              by tangomargarine (667) on Thursday September 25 2014, @02:38PM (#98248)

              Because I'm sure dash or csh or zsh or whatever is so much more secure and well-written than bash...

              --
              "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
              • (Score: 2) by FatPhil on Thursday September 25 2014, @06:59PM

                by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Thursday September 25 2014, @06:59PM (#98365) Homepage
                Even without inspecting the code, I'm sure that dash and zsh are indeed more secure than bash.

                How do I know this with the certainty that I do? Because the rate of bugs per line of code is remarkably constant, and there's more code in bash, so likely more bugs.
                --
                Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
  • (Score: 2) by tangomargarine on Thursday September 25 2014, @02:35PM

    by tangomargarine (667) on Thursday September 25 2014, @02:35PM (#98243)

    If you automatically dismiss every post from an AC, you'll miss out on a few gems. Can't we quit it with the "AC STFU" knee-jerk reactions already?

    --
    "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
    • (Score: 2) by fnj on Friday September 26 2014, @09:39AM

      by fnj (1654) on Friday September 26 2014, @09:39AM (#98524)

      We'll quit dissing no-account cowards when the lazy bums get off their ass and sign up for an account, and then put their fragile egos on the line by making signed posts.

      P.S., I do read cowards because I don't want to hide safely behind mommy's apron. But I will never quit making fun of the sniveling lightweights.

  • (Score: 2) by FatPhil on Thursday September 25 2014, @07:44PM

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Thursday September 25 2014, @07:44PM (#98378) Homepage
    Calm down, Lennart!
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves