Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Thursday September 25 2014, @01:59AM   Printer-friendly
from the well,-that's-not-ideal dept.

Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.

This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.

This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.

The Ars also includes a simple single liner that will test your setup for the newly found discovery:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will output the following:

vulnerable
 this is a test

While a patched or unaffected system outputs:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

A patch is already out, so administrators are advised to update Bash.

Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".

$ env X='() { (a)=>\' sh -c "echo date"; cat echo

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by mendax on Thursday September 25 2014, @02:05AM

    by mendax (2840) on Thursday September 25 2014, @02:05AM (#98021)

    I just tried it on my iMac running Mavericks and it's implementation of bash is vulnerable, and Apple has not yet provided a patch via the Software Update feature. Sure, I could patch it myself but Apple is usually pretty quick about fixing such scary vulnerabilities as this.

    --
    It's really quite a simple choice: Life, Death, or Los Angeles.
    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @02:08AM

    by Anonymous Coward on Thursday September 25 2014, @02:08AM (#98026)

    Oh, fuck... I've turned my Mac off and I'm not even going to use it until this is fixed. This is serious business, guys. I'm not going to frig around with this particular bug.

    • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @07:14PM

      by Anonymous Coward on Thursday September 25 2014, @07:14PM (#98372)

      Oh, fuck... I've turned my Mac off and I'm not even going to use it until this is fixed. This is serious business, guys. I'm not going to frig around with this particular bug.

      I suggest you also shut off the power to your house at the mains...just to be sure. After that you should go hide under your bed until this is all over. You just can't be too careful these days.

      • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @10:33PM

        by Anonymous Coward on Thursday September 25 2014, @10:33PM (#98429)

        He doesn't have to do that. He can just use his Windows computer, which isn't affected by this.

  • (Score: 2, Informative) by gcrumb on Thursday September 25 2014, @03:19AM

    by gcrumb (3946) on Thursday September 25 2014, @03:19AM (#98061) Homepage

    You should be okay if you edit your /etc/sshd_config and comment out the Accept_Env line.

    --
    Crumb's Corollary: Never bring a knife to a bunfight
    • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @07:41AM

      by Anonymous Coward on Thursday September 25 2014, @07:41AM (#98127)

      According to sshd_config(5), this is not enabled by default, and it even warns that enabling it will make it possible to bypass restricted user environments.

      So, if somebody is stupid enough to enable this in a restricted user environment, even after being warned against doing so, how is this a vulnerability in bash?

      • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @09:33AM

        by Anonymous Coward on Thursday September 25 2014, @09:33AM (#98146)

        On my debian 7 and ubuntu 12.04 servers, in sshd_config:

        # Allow client to pass locale environment variables
        AcceptEnv LANG LC_*

        That's the default install.

      • (Score: 2) by choose another one on Thursday September 25 2014, @09:46AM

        by choose another one (515) Subscriber Badge on Thursday September 25 2014, @09:46AM (#98147)

        Request a tty and I think $TERM may bypass AcceptEnv

  • (Score: 2) by LaminatorX on Thursday September 25 2014, @01:58PM

    by LaminatorX (14) <{laminatorx} {at} {gmail.com}> on Thursday September 25 2014, @01:58PM (#98222)

    My Apple and SuSE machines at home are both vulnerable, but the only public service we've got running is dhcpd on our wifi. Frankly, if someone is sitting in my driveway attacking my wlan, I've got bigger problems than a bash exploit through dhcpd.