Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.
This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.
This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.
The Ars also includes a simple single liner that will test your setup for the newly found discovery:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
A vulnerable system will output the following:
vulnerable
this is a test
While a patched or unaffected system outputs:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
A patch is already out, so administrators are advised to update Bash.
Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
(Score: 1) by novak on Thursday September 25 2014, @05:57AM
This is one reason I'm always a fan of getting rid of non-essential features in software. Bash is the standard pretty much anywhere, and it's a pretty good one. I much prefer it over shells like tcsh, and have it at least installed on all my linux machines. But bash is also a fairly large piece of software, so of course there are occasional bugs, like this one.
Now, on one hand, the flaw is patched at least partially the same day so this isn't an attack on bash or some crap like that. But on the other, this is exactly why I prefer to use more minimal, (sometimes) worse software. Even in 2014, decades after everyone started laughing at microkernels, there's still something to be said for brevity.
I have a huge amount of respect for projects like OpenBSD where they run a tight, small ship. I also appreciate distros like alpine where they use musl libc to shrink the size of binaries. Partially because I love playing with embedded hardware, but also because minimalism can be a good thing for its own sake.
novak
(Score: 0) by Anonymous Coward on Thursday September 25 2014, @11:54AM
Everyone laughs at microkernels because they're academic ivory tower wankery that just doesn't work in the real world.
(Score: 0) by Anonymous Coward on Thursday September 25 2014, @02:13PM
minix 3.3 begs to differ.
(Score: 2) by tangomargarine on Thursday September 25 2014, @02:52PM
And does anyone actually use Minix other than Tannenbaum and a few professors?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2) by choose another one on Thursday September 25 2014, @03:18PM
I think there was some student or other in Finland back in the 90s.
(Score: 0) by Anonymous Coward on Thursday September 25 2014, @04:30PM
We're still laughing at it. It's a toy OS, even if it tries desparately to be one of the big boys.