Ars reports that a new bug has been found in GNU Bash allows remote attackers to execute arbitrary code by setting the process trailing strings after function definitions in the values of environment variables.
This bug is reported to be present in RHEL (ver 4 through 7), Fedora, CentOS (ver 5 through 7), Ubuntu (ver 10.04 LTS, 12.04 LTS, and 14.04 LTS), Debian, and even OS X Mavericks.
This bug is exploitable through Apache servers with mod_cgi and mod_cgid loaded, OpenSSH, malicious DHCP servers in a compromised wireless access point through dhclient, as well as the CUPS printing system.
The Ars also includes a simple single liner that will test your setup for the newly found discovery:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
A vulnerable system will output the following:
vulnerable
this is a test
While a patched or unaffected system outputs:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
A patch is already out, so administrators are advised to update Bash.
Editor's Update: Security Engineer Tavis Ormandy has said "The bash patch seems incomplete to me, function parsing is still brittle".
$ env X='() { (a)=>\' sh -c "echo date"; cat echo
(Score: 2) by Hairyfeet on Friday September 26 2014, @12:22AM
It doesn't even SOUND logical if you take more than 5 seconds to think about it, yet its trotted out as a fucking FEATURE of Linux and FOSS! Right now the plans for the MIG15 are online, why don't you build me one and have it ready by Thursday....what is that? you don't have the skills nor the manpower? DING DING DING we have a winner johnny!
Handing somebody like ohh say me or you, whom I assume don't have a masters in CompSci and 15+ years in low level C coding under your belt? Worthless, completely fucking worthless, yet because Joe "I don't know jack shit more than I learnt in that VB class I took 15 years ago" Blow can download the source for bash this somehow magically means that somebody with the skills of a Bruce Schneier has done and continues to do in depth code audits of the same code.....WTF? this is as batshit as saying "Because vampires COULD exist and there are people that disappear forever each year that means vampires DO exist and are turning people"....doesn't matter that we have exactly ZERO evidence this is going on, no proof whatsoever that this is happening, the simple fact that it COULD happen means that it IS happening.
So I'm sorry but they can waste modpoints all they want I'm throwing a flag, delusional bullshit on the field! We have seen exactly ZERO evidence of "many eyes" happening and a mountain of evidence that many eyes is bullshit, because if it were real why is there major exploitable bugs being found in this software that if many eyes were real should have been vetted a hundred times over...hmm? Remember folks source code isn't magical despite what the more batshit FOSSies would have you believe, it doesn't magically perform code audits on itself, it doesn't magically give you the skils to debug itself AND the things it calls AND anything calling it, in fact we can only show with any certainty ONE and only ONE benefit to having source and that is the fact that IF a piece of software is abandoned AND you can build up a team to support it you CAN keep it afloat. We have evidence of this with KDE 3 so this is something we can say with certainty is possible? many eyes? We have the same amount of evidence for many eyes being real as we do for alien abduction, namely anecdotes and bullshit.
ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.