Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Thursday September 25 2014, @01:59AM   Printer-friendly
from the well,-that's-not-ideal dept.

Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.

This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.

This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.

The Ars also includes a simple single liner that will test your setup for the newly found discovery:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will output the following:

vulnerable
 this is a test

While a patched or unaffected system outputs:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

A patch is already out, so administrators are advised to update Bash.

Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".

$ env X='() { (a)=>\' sh -c "echo date"; cat echo

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @05:03AM

    by Anonymous Coward on Thursday September 25 2014, @05:03AM (#98094)

    The major distros need to say "STOP!" to the efforts to integrate systemd. Especially Debian. Nobody should be integrating software like systemd into a distro until it has gone a very thorough review.

    If Fedora and Red Hat really feel the need to integrate systemd, then let them. Let their users suffer first. But Debian and Ubuntu users should not be subjected to systemd until it is a proven technology, if it even ever manages to get to that point.

    Bash has long been thought to be a stable, robust, reliable piece of software.

    I don't think anybody was ever under the impression that Bash was a bastion of security. War tested as much as anything common- sure, but there were no illusions about it's level of complexity adding to threat surfaces.

    As for Debuntu- from my understanding, only users who opt for a default desktop configuration in the next major release will see this. I think you ought to take a step back from your rhetoric that makes it sound like everyone is being forced to use systemd. There are a million linux distros out there, not to mention plenty of Debuntu users interested in holding off on systemd for various amounts of time. This isn't like the government mandating a kill switch in phones that users can't opt out of. There is plenty of choice for everyone of our opinion that systemd could use more settling before the levels of adoption that it currently seems to enjoy. Of course, bash bugs like this don't really help systemd's case in that argument IMO. I.e. an init system relying on bash now looks a notch less attractive due to this bug. Which only increases the relative stature of systemd through no aspect of its self.

  • (Score: 2) by MrNemesis on Thursday September 25 2014, @11:56AM

    by MrNemesis (1582) on Thursday September 25 2014, @11:56AM (#98168)

    I did a bare-minimum install from the latest jessie netinstall image the other day and systemd is now in there as default init regardless of whether you choose to install an X server or any DE (and you can't apt-pin it away on a new install like I have on my existing systems).

    IIRC, init scripts on debian have been using /bin/dash as default /bin/sh for quite some time because it's faster and lighter weight than bash.

    --
    "To paraphrase Nietzsche, I have looked into the abyss and been sick in it."