Slash Boxes

SoylentNews is people

posted by n1 on Thursday September 25 2014, @01:59AM   Printer-friendly
from the well,-that's-not-ideal dept.

Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.

This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.

This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.

The Ars also includes a simple single liner that will test your setup for the newly found discovery:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will output the following:

 this is a test

While a patched or unaffected system outputs:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

A patch is already out, so administrators are advised to update Bash.

Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".

$ env X='() { (a)=>\' sh -c "echo date"; cat echo

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Tork on Thursday September 25 2014, @04:10AM

    by Tork (3914) Subscriber Badge on Thursday September 25 2014, @04:10AM (#98086)
    "This exploit shows how great my choice of OS is!". Mmm hm.
    🏳️‍🌈 Proud Ally 🏳️‍🌈
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by Geotti on Thursday September 25 2014, @12:56PM

    by Geotti (1146) on Thursday September 25 2014, @12:56PM (#98191) Journal

    You think DOS doesn't have exploits?

    • (Score: 3, Insightful) by Tork on Thursday September 25 2014, @04:04PM

      by Tork (3914) Subscriber Badge on Thursday September 25 2014, @04:04PM (#98286)
      Are you going to skip patching your machine because DOS has exploits?
      🏳️‍🌈 Proud Ally 🏳️‍🌈
      • (Score: 2) by Geotti on Saturday September 27 2014, @12:33PM

        by Geotti (1146) on Saturday September 27 2014, @12:33PM (#98878) Journal

        I don't like explaining jokes, so I'll just leave it at "whoosh!"

        • (Score: 2) by Tork on Sunday September 28 2014, @02:03AM

          by Tork (3914) Subscriber Badge on Sunday September 28 2014, @02:03AM (#99036)
          Ah... "I meant to do that.". Got it.
          🏳️‍🌈 Proud Ally 🏳️‍🌈
  • (Score: 2, Interesting) by Hairyfeet on Thursday September 25 2014, @04:30PM

    by Hairyfeet (75) <> on Thursday September 25 2014, @04:30PM (#98300) Journal

    Gotta just love the logic disconnect, how they scream about every Windows bug but fucking cheer when they get yet more proof that "many eyes" is a load of many billions did heartbleed cost the planet? I rest my case. And folks wonder why I call 'em FOSSies, only ones more batshit are the Appleites, whom I've actually seen defend "you're holding it wrong" as a mark of superior design LOL!

    So can we officially call "many eyes" a myth that is busted now? Because there is not a single piece of software in Linux that has had more view the code than Bash and today we saw that was worth exactly jack and squat, because the simple fact is it requires eyes that can not ONLY do low level debug of the software itself but ALSO of anything it calls AND redoing the whole thing with each change and as we have seen that just ain't happening. IRL everybody is just assuming "well somebody HAD to have done it" but nobody can actually name these mythical somebodies. Source code isn't magical, and I bet my last dollar if one was to look at how many times the source is downloaded for all the little pieces that make up your average Linux distro probably half of it is NEVER looked at by anybody but the guys that actually support it.

    Show of hands, how many here have done a code audit of Gimp? Libre Office? Anybody here done a security audit of the Gecko engine that powers Firefox? And just think those are the most popular ones and for every one of those you have 30 "googly eyes" and font managers and other unsexy crap nobody ever thinks about. Many eyes probably 1993 when the entire OS along with the source fit on a single floppy, now that the kernel alone is something like 10 million LOC? Not a chance in hell, its a myth.

    ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
    • (Score: 3) by No.Limit on Thursday September 25 2014, @05:54PM

      by No.Limit (1965) on Thursday September 25 2014, @05:54PM (#98340)

      I kinda agree with you that non-FOSS software gets bashed too hard over security holes (though with non-FOSS software you have no chance to fix it, while with FOSS software you can. Whether one is more secure than the other is quite hard to tell).

      However, doing a conclusion from just one horrific example just isn't scientific. So no, the 'many eyes' myth isn't busted now.
      It's much rather the case that the 'many eyes' argument isn't even proven in the first place. So we can simply see it as a theory that sounds logical, but isn't necessarily true. And here we have another indicator against it.

      Technically, all we can say is that neither FOSS nor non-FOSS software is secure. But that's not really useful for people that want to compare the security of the two ideologies.

      • (Score: 2) by Hairyfeet on Friday September 26 2014, @12:22AM

        by Hairyfeet (75) <> on Friday September 26 2014, @12:22AM (#98446) Journal

        It doesn't even SOUND logical if you take more than 5 seconds to think about it, yet its trotted out as a fucking FEATURE of Linux and FOSS! Right now the plans for the MIG15 are online, why don't you build me one and have it ready by Thursday....what is that? you don't have the skills nor the manpower? DING DING DING we have a winner johnny!

        Handing somebody like ohh say me or you, whom I assume don't have a masters in CompSci and 15+ years in low level C coding under your belt? Worthless, completely fucking worthless, yet because Joe "I don't know jack shit more than I learnt in that VB class I took 15 years ago" Blow can download the source for bash this somehow magically means that somebody with the skills of a Bruce Schneier has done and continues to do in depth code audits of the same code.....WTF? this is as batshit as saying "Because vampires COULD exist and there are people that disappear forever each year that means vampires DO exist and are turning people"....doesn't matter that we have exactly ZERO evidence this is going on, no proof whatsoever that this is happening, the simple fact that it COULD happen means that it IS happening.

        So I'm sorry but they can waste modpoints all they want I'm throwing a flag, delusional bullshit on the field! We have seen exactly ZERO evidence of "many eyes" happening and a mountain of evidence that many eyes is bullshit, because if it were real why is there major exploitable bugs being found in this software that if many eyes were real should have been vetted a hundred times over...hmm? Remember folks source code isn't magical despite what the more batshit FOSSies would have you believe, it doesn't magically perform code audits on itself, it doesn't magically give you the skils to debug itself AND the things it calls AND anything calling it, in fact we can only show with any certainty ONE and only ONE benefit to having source and that is the fact that IF a piece of software is abandoned AND you can build up a team to support it you CAN keep it afloat. We have evidence of this with KDE 3 so this is something we can say with certainty is possible? many eyes? We have the same amount of evidence for many eyes being real as we do for alien abduction, namely anecdotes and bullshit.

        ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.