Re: [nznog] Shell Shock - Bash vulnerability - CVE-2014-6271

The fundamental problem is this: In starting, bash treats ANY environment variable whose value starts with "() {" (i.e. open paren, close paren, space, open curly) as a function to be parsed and imported. For example: $ export ls='() { echo bwahahaha ; }' $ bash # any invocation of bash, including from system(), or as /bin/sh $ ls bwahahaha This is the mechanism by which bash's "export -f" (export function) works. (By default, functions are not exported to the environment, which is why you never noticed this before.) Basically, that functionality has a ridiculous number of potential gotchas, even if the parsing is properly fixed. The unpatched code just blithely throws the string at the command interpreter, and the patches are just band-aids on top of that. -- don On 25/09/14 14:14, Nicholas Lee wrote:

Fix may not be complete either:

https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23

On Thu, Sep 25, 2014 at 11:06 AM, Sebastian Castro mailto:sebastian(a)nzrs.net.nz> wrote:

On 25/09/14 10:57 am, Dean Pemberton wrote: > Hi all, > This isn't normally a security vuln release list but this one looks pretty bad > > A newly discovered vulnerability (CVE-2014-6271) in the Bash > command-line interpreter poses a critical security risk to Unix and > Linux systems. It allows remote code execution. > > NZITF is responding to this remote execution exploit, with a News page > that we will be keeping up to date - http://www.nzitf.org.nz/news.html > .

There are active scans going on already:

http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html

> > We are also reaching out to technical and security community points of > contact to raise awareness to the issue and ensure necessary action is > taken (hence this email to you). Please note, no patch is yet > available for Mac OSX. However, many other patches are available. > > So Patch, Patch, Patch. > > > Regards, > Dea > _______________________________________________ > NZNOG mailing list > NZNOG(a)list.waikato.ac.nz mailto:NZNOG(a)list.waikato.ac.nz > http://list.waikato.ac.nz/mailman/listinfo/nznog >

-- Sebastian Castro Technical Research Manager .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 tel:%2B64%204%20495%202337 mobile: +64 21 400535 tel:%2B64%2021%20400535 _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz mailto:NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog