Slash Boxes

SoylentNews is people

posted by n1 on Thursday September 25 2014, @01:59AM   Printer-friendly
from the well,-that's-not-ideal dept.

Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.

This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.

This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.

The Ars also includes a simple single liner that will test your setup for the newly found discovery:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

A vulnerable system will output the following:

 this is a test

While a patched or unaffected system outputs:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

A patch is already out, so administrators are advised to update Bash.

Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".

$ env X='() { (a)=>\' sh -c "echo date"; cat echo

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1) by DNied on Thursday September 25 2014, @10:10AM

    by DNied (3409) on Thursday September 25 2014, @10:10AM (#98150)

    Here we have bash, one of the oldest, most widely used pieces of GNU software out there. It's mature, it has seen lots of use, and its code has been picked through for decades now, yet still a serious bug like this can exist in it.

    Yes, but who uses bash for CGI scripts? The real-world scenarios for this kind of exploit are so limited in practice, that the bug could live in the code for years and not really cause havoc.

    Note how it hasn't been discovered after an attack.

  • (Score: 2) by choose another one on Thursday September 25 2014, @06:32PM

    by choose another one (515) Subscriber Badge on Thursday September 25 2014, @06:32PM (#98350)

    Note that it hasn't been discovered after an attack that we know about.

    Also, exploits are now in the wild and attacks being reported, Git servers currently a known target - guess that is a "limited" real world scenario ?

  • (Score: 2) by FatPhil on Thursday September 25 2014, @06:56PM

    by FatPhil (863) <{pc-soylent} {at} {}> on Thursday September 25 2014, @06:56PM (#98362) Homepage
    Who uses bash for CGI scripts? Anyone who uses perl for CGI scripts that use certain common functions, that's who.

    And just because your script doesn't use them, that doesn't mean that one of the modules you use doesn't contain such code.

    > Note how it hasn't been discovered after an attack.

    That we know of. Ignorance is not bliss.
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves