Stories
Slash Boxes
Comments

SoylentNews is people

posted by n1 on Thursday September 25 2014, @01:59AM   Printer-friendly
from the well,-that's-not-ideal dept.

Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.

This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.

This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.

The Ars also includes a simple single liner that will test your setup for the newly found discovery:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will output the following:

vulnerable
 this is a test

While a patched or unaffected system outputs:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

A patch is already out, so administrators are advised to update Bash.

Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".

$ env X='() { (a)=>\' sh -c "echo date"; cat echo

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by novak on Thursday September 25 2014, @05:57AM

    by novak (4683) on Thursday September 25 2014, @05:57AM (#98107) Homepage

    This is one reason I'm always a fan of getting rid of non-essential features in software. Bash is the standard pretty much anywhere, and it's a pretty good one. I much prefer it over shells like tcsh, and have it at least installed on all my linux machines. But bash is also a fairly large piece of software, so of course there are occasional bugs, like this one.

    Now, on one hand, the flaw is patched at least partially the same day so this isn't an attack on bash or some crap like that. But on the other, this is exactly why I prefer to use more minimal, (sometimes) worse software. Even in 2014, decades after everyone started laughing at microkernels, there's still something to be said for brevity.

    I have a huge amount of respect for projects like OpenBSD where they run a tight, small ship. I also appreciate distros like alpine where they use musl libc to shrink the size of binaries. Partially because I love playing with embedded hardware, but also because minimalism can be a good thing for its own sake.

    --
    novak
  • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @11:54AM

    by Anonymous Coward on Thursday September 25 2014, @11:54AM (#98167)

    Everyone laughs at microkernels because they're academic ivory tower wankery that just doesn't work in the real world.

    • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @02:13PM

      by Anonymous Coward on Thursday September 25 2014, @02:13PM (#98228)

      minix 3.3 begs to differ.

      • (Score: 2) by tangomargarine on Thursday September 25 2014, @02:52PM

        by tangomargarine (667) on Thursday September 25 2014, @02:52PM (#98258)

        And does anyone actually use Minix other than Tannenbaum and a few professors?

        --
        "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
      • (Score: 0) by Anonymous Coward on Thursday September 25 2014, @04:30PM

        by Anonymous Coward on Thursday September 25 2014, @04:30PM (#98299)

        We're still laughing at it. It's a toy OS, even if it tries desparately to be one of the big boys.