You are not logged in.

#1 2014-09-25 02:11:20

hydn
Member
From: Antigua
Registered: 2012-09-23
Posts: 104
Website

Bash CVE-2014-6271 Vulnerability

Excuse me if this was already posted. I searched title's only for bash and 6271 and didn't see any results.

Cut and paste from CVE-2014-6271 Bash vulnerability allows remote execution arbitrary code:
This morning a flaw was found in Bash with the way it evaluated certain environment variables. Basically an attacker could use this flaw to override or bypass environment restrictions to execute shell commands. As a result various services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.

Details on CVE-2014-6271 from the MITRE CVE dictionary and NIST NVD (page pending creation).

I’m currently patching servers for this. The issue affects ALL products which use Bash shell and parse values of environment variables. This issue is especially dangerous as there are many possible ways Bash can be called by applications. Quite often if an application executes another binary, Bash is invoked to accomplish this. Because of the pervasive use of the Bash shell, this issue is quite serious and should be treated as such!

To test if your version of Bash is vulnerable run the following command:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If that command returns the following:

vulnerable this is a test

…then you are using a vulnerable version of Bash and should patch immediately. The patch used to fix this issue ensures that no code is allowed after the end of a Bash function. Thus, if you run the above example with the patched version of Bash, you should get an output similar to:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Arch Linux CVE-2014-6271 patch:

pacman -Syu

Last edited by hydn (2014-09-28 20:57:41)

Offline

#2 2014-09-25 02:15:08

Scimmia
Bug Wrangler
Registered: 2012-09-01
Posts: 7,265

Re: Bash CVE-2014-6271 Vulnerability

Unfortunately, some are claiming that the patch doesn't fix it completely: https://bugzilla.redhat.com/show_bug.cgi?id=1141597#c23

Last edited by Scimmia (2014-09-25 02:20:21)

Offline

#3 2014-09-25 02:32:20

hydn
Member
From: Antigua
Registered: 2012-09-23
Posts: 104
Website

Re: Bash CVE-2014-6271 Vulnerability

Not good. hmm

Edit: Another patch on the way: http://www.openwall.com/lists/oss-secur … 4/09/25/10

Last edited by hydn (2014-09-25 03:14:09)

Offline

#4 2014-09-25 11:34:23

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Bash CVE-2014-6271 Vulnerability

We have a security ML, why post here?

Offline

#5 2014-09-25 11:40:44

Awebb
Member
Registered: 2010-05-06
Posts: 5,294

Re: Bash CVE-2014-6271 Vulnerability

Not everybody reads the MLs, there is always so much white noise. The security ML however has been quite silent lately.

Offline

#6 2014-09-25 12:09:35

lolilolicon
Member
Registered: 2009-03-05
Posts: 1,722

Re: Bash CVE-2014-6271 Vulnerability

A very good article on this issue: http://lcamtuf.blogspot.com/2014/09/qui … mpact.html

When I found out about this "feature" of bash, i.e. the magic token "() {", I was like "WTF?!" Yet another dark corner in bash? This one is just intuitively wrong.
My opinion of the reasonableness of bash has dropped, again. I think I hate it now.


This silver ladybug at line 28...

Offline

#7 2014-09-25 13:43:09

Swarfega
Member
Registered: 2011-08-19
Posts: 97

Re: Bash CVE-2014-6271 Vulnerability

Any idea's when this will fixed in Arch, if it hasn't already?  Can't seem to find much info on it.

http://www.bbc.com/news/technology-29361794

*Edit*

I think I found a related thread @ https://bbs.archlinux.org/viewtopic.php?id=187484

Last edited by Swarfega (2014-09-25 13:47:24)

Offline

#8 2014-09-25 13:49:54

Tom B
Member
Registered: 2014-01-15
Posts: 159
Website

Re: Bash CVE-2014-6271 Vulnerability

It seems to be fixed already, running the code provided in The Register arcicle: http://www.theregister.co.uk/2014/09/24 … hell_vuln/ doesn't execute successfully.

More annoyingly, I'd rather my  CentOS webservers weren't vulnerable and have my Arch desktop fixed last.

Offline

#9 2014-09-25 13:52:43

Tom B
Member
Registered: 2014-01-15
Posts: 159
Website

Re: Bash CVE-2014-6271 Vulnerability

So, for clarification is this fixed or not? Has the "incomplete" patch been rectified?

Offline

#10 2014-09-25 13:56:20

myd
Member
Registered: 2014-09-25
Posts: 1

Re: Bash CVE-2014-6271 Vulnerability

It is fixed only half-way, following code still works:

env X='() { (a)=>\' sh -c "echo date"; cat echo

Offline

#11 2014-09-25 13:59:29

Swarfega
Member
Registered: 2011-08-19
Posts: 97

Re: Bash CVE-2014-6271 Vulnerability

Looks like it...

[root@me ~]# env X='() { (a)=>\' sh -c "echo date"; cat echo
sh: X: line 1: syntax error near unexpected token `='
sh: X: line 1: `'
sh: error importing function definition for `X'
Thu 25 Sep 14:58:24 BST 2014

Offline

#12 2014-09-25 14:26:14

Scimmia
Bug Wrangler
Registered: 2012-09-01
Posts: 7,265

Re: Bash CVE-2014-6271 Vulnerability

Tom B wrote:

So, for clarification is this fixed or not? Has the "incomplete" patch been rectified?

No, it has not.

Offline

#13 2014-09-25 14:26:50

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Bash CVE-2014-6271 Vulnerability

Awebb wrote:

Not everybody reads the MLs, there is always so much white noise.

This indeed is quite different from the precise posts and reasonable discussions on the forum.

Offline

#14 2014-09-25 14:36:08

fsckd
Forum Fellow
Registered: 2009-06-15
Posts: 4,173

Re: Bash CVE-2014-6271 Vulnerability

Merged Swarfega's thread. Title was "Shellshock".


aur S & M :: forum rules :: Community Ethos
Resources for Women, POC, LGBT*, and allies

Offline

#15 2014-09-25 15:08:42

hydn
Member
From: Antigua
Registered: 2012-09-23
Posts: 104
Website

Re: Bash CVE-2014-6271 Vulnerability

Tom B wrote:

So, for clarification is this fixed or not? Has the "incomplete" patch been rectified?

Red Hat advises to upgrade to the version of bash which contains the fix for CVE-2014-6271 and not wait for the patch which fixes CVE-2014-7169 because CVE-2014-7169 is less severe of an issue which they are yet to have a patch ready for.

Last edited by hydn (2014-09-25 15:23:17)

Offline

#16 2014-09-25 15:12:39

lolilolicon
Member
Registered: 2009-03-05
Posts: 1,722

Re: Bash CVE-2014-6271 Vulnerability

@hydn Arch has applied the patch for CVE-2014-6271 in bash 4.3.024-2


This silver ladybug at line 28...

Offline

#17 2014-09-25 15:13:13

Awebb
Member
Registered: 2010-05-06
Posts: 5,294

Re: Bash CVE-2014-6271 Vulnerability

hydn wrote:

Red Hat advises to upgrade to the version of bash which contains the fix for CVE-2014-6271 and not wait for the patch which fixes CVE-2014-7169 because CVE-2014-7169 is less severe of an issue which they are yet to have a patch ready for.

Indeed. Not updating would be like waiting for the fish expert to arrive at the boat to catch the shark in the engine room before closing that big gaping hole in the port bow.

Offline

#18 2014-09-25 15:22:12

nomorewindows
Member
Registered: 2010-04-03
Posts: 3,240

Re: Bash CVE-2014-6271 Vulnerability

Bash updated this morning and restarted bash to reflect changes and seems to be working.


I may have to CONSOLE you about your usage of ridiculously easy graphical interfaces...
Look ma, no mouse.

Offline

#19 2014-09-25 15:37:18

lolilolicon
Member
Registered: 2009-03-05
Posts: 1,722

Re: Bash CVE-2014-6271 Vulnerability

At least, with this bug out, some serious thought is going on regarding the mechanism of function export, such as this effort:
http://www.openwall.com/lists/oss-secur … 4/09/25/13
I'd much prefer killing it and adopt zsh-like function autoload...


Backward compatibility sucks, popularity sucks, feature creep sucks, adhocity sucks, ...

Unix has retarded OS research by 10 years and linux has retarded it by 20.

        — Dennis Ritchie as quoted by by Boyd Roberts in 9fans.

Oh, the wisdom!

Last edited by lolilolicon (2014-09-25 15:38:37)


This silver ladybug at line 28...

Offline

#20 2014-09-25 15:48:05

karol
Archivist
Registered: 2009-05-06
Posts: 25,440

Re: Bash CVE-2014-6271 Vulnerability

Long live KolibriOS!

plan9, suckless etc. have nice ideas, but the code isn't there.

Offline

#21 2014-09-25 15:56:51

lolilolicon
Member
Registered: 2009-03-05
Posts: 1,722

Re: Bash CVE-2014-6271 Vulnerability

The old projects have become too popular / widespread, much effort are put into them which could otherwise have gone into implementing better ideas.
The thing with super popular projects is, people become so reliant on them, they become super resistent to newer projects.
The thing with big popular projects is their past often become their own obstacle to improve.
Kill yourselves, old projects! Death, rebirth, nirvana!


This silver ladybug at line 28...

Offline

#22 2014-09-25 16:26:43

Awebb
Member
Registered: 2010-05-06
Posts: 5,294

Re: Bash CVE-2014-6271 Vulnerability

lolilolicon wrote:

Kill yourselves, old projects! Death, rebirth, nirvana!

Every time I consider a project somewhat "feature complete" it is being discontinued, rewritten from square one and it takes years until most of the features I care fore are back and even half of the plugins and extra scripts work, which is usually a day before they announce a rewrite.

Offline

#23 2014-09-25 16:32:55

lolilolicon
Member
Registered: 2009-03-05
Posts: 1,722

Re: Bash CVE-2014-6271 Vulnerability

Haha, if only that happens more often! tongue

Last edited by lolilolicon (2014-09-25 16:33:24)


This silver ladybug at line 28...

Offline

#24 2014-09-25 17:15:47

hydn
Member
From: Antigua
Registered: 2012-09-23
Posts: 104
Website

Re: Bash CVE-2014-6271 Vulnerability

Akamai has developed their own emergency patch which makes function forwarding conditional on the compile-time switch “FUNCTION_EXPORT”: https://bit.ly/ShellShockPatch

Offline

#25 2014-09-25 18:25:34

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 16,712

Re: Bash CVE-2014-6271 Vulnerability

On a related note.  I post this here as it might be of interest to some members....

I just checked my DD-WRT based router for this vulnerability.   It comes stock with Busybox and does not seem to be vulnerable, but...   I keep bash on a separate partition which gets mounted on /opt.  That bash is vulnerable.  Until the DD-WRT project catches up, I suggest anyone using that router firmware consider disabling Bash for the time being and stick with BB.

Also, as another aside, ArchArm has this fix in place now and is safely running on my Raspberry Pi.   

I did kill the ssh service on the Windows Box that let me into bash via Cygwin.  Cygwin Bash is vulnerable as of when I began this post.

Last edited by ewaller (2014-09-25 18:26:18)


Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
Sometimes it is the people no one can imagine anything of who do the things no one can imagine. -- Alan Turing
---
How to Ask Questions the Smart Way

Offline

Board footer

Powered by FluxBB