Those with bash installed, beware the bash env security bug

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Those with bash installed, beware the bash env security bug

General mailing list
If you are using bash in any way on your NSLU2 or really any device running linux, you are vulnerable to attacks using a recently discovered security bug.

 $ export x='() { :;}; echo vulnerable'
 $ bash -c "echo this is a test"
 vulnerable
 this is a test
 $
 

 In a nutshell is if the user can set ANY string that it is assigned to an environmental variable the system is vulnerable. It is not uncommon for processes to set values passed in by the user as environmental variables before spawning an shell instance such as a shell script using bash.  On my own router I found I was vulnerable by several cron scripts I had written that pass values from DNS lookups that could be potentially hacked to add such a magic string by anyone with access to the DNS server. Here are some articles that describe the issue further:
 

 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
https://access.redhat.com/articles/1200223 https://access.redhat.com/articles/1200223
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

 

 Keep in mind, many systems link bash as sh.   In which which case what you will see when testing sh is:
 
$ export x='() { :;}; echo vulnerable'

 $ sh -c "echo this is a test"
 vulnerable
 this is a test
 $
 

 This is an even more sever variation of the bug, as many programs will fork an instance of shell without you even knowing it.
 

 Altenative shells such ash included in busybox systems are not vulnerable.
 

 Bill

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Those with bash installed, beware the bash env security bug

General mailing list
On 25/09/2014 15:22, [hidden email] [nslu2-general] wrote:
> If you are using bash in any way on your NSLU2 or really any device
> running linux, you are vulnerable to attacks using a recently discovered
> security bug.

Current optware is vulnerable. All the more reason to try and make
optware more current … I'm ready to help, but am I the only one?

Cheers
--
Romain
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Those with bash installed, beware the bash env security bug

General mailing list
so a patched version of bash is needed. someone have tried to crosscompile it?

Francesco
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Those with bash installed, beware the bash env security bug

General mailing list
On 26/09/2014 11:25, [hidden email] [nslu2-general] wrote:
> so a patched version of bash is needed. someone have tried to
> crosscompile it?

FWIW, Bash 3.2.52 compiled fine here. It was just a matter of changing
the BASH_PATCH_LEVEL in the makefile.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Those with bash installed, beware the bash env security bug

General mailing list
In reply to this post by General mailing list
I updated the bash to 3.2.52-1, but it couldn't do it. The date of file is updated, the install process is ready, but the bash --help show the 3..2.49(1) only. And it is vulnerable... :( I don't understand it.

 

 ipkg install bash_3.2.52-1_arm.ipk
 Installing bash (3.2.52-1) to root...
 Configuring bash
 Successfully terminated.
 


 Bash is updated:

 

 

 

 

 

 

 

 



 
 Or not:
 

 


 

 

 

 

 

 

 

 



 



[Non-text portions of this message have been removed]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Those with bash installed, beware the bash env security bug

General mailing list
Oh, I see that the images aren't loaded up. :(

 Current bash version:
 bash -version

 GNU bash, version 3.2.49(1)-release (arm-none-linux-gnueabi)

 Copyright (C) 2007 Free Software Foundation, Inc.

 I downloaded the latest fresh bash manualy, because the ipkg update && ipkg upgrade doesn't update it.

 wget http://ipkg.nslu2-linux.org/feeds/optware/cs08q1armel/cross/stable/bash_3.2.52-1_arm.ipk http://ipkg.nslu2-linux.org/feeds/optware/cs08q1armel/cross/stable/bash_3.2.52-1_arm.ipk

 I updated with it as root:


 ipkg install bash_3.2.52-1_arm.ipk


 Installing bash (3.2.52-1) to root...
 Configuring bash
 Successfully terminated.


But no changes in version:
 bash -version

 GNU bash, version 3.2.49(1)-release (arm-none-linux-gnueabi)

 Copyright (C) 2007 Free Software Foundation, Inc.

 

 The bash file is updated:
 

 http://dl.dropbox.com/u/3577295/Kijel%C3%B6l%C3%A9s_051.png http://dl.dropbox.com/u/3577295/Kijel%C3%B6l%C3%A9s_051.png
 

 What do you think that what is the problem with the 3.2.52-1 version?
 
 
 http://dl.dropbox.com/u/3577295/Kijel%C3%B6l%C3%A9s_051.png 
 
 http://dl.dropbox.com/u/3577295/Kijel%C3%B6l%C3%A9s_051.... http://dl.dropbox.com/u/3577295/Kijel%C3%B6l%C3%A9s_051.png 
 
 
 View on dl.dropbox.com http://dl.dropbox.com/u/3577295/Kijel%C3%B6l%C3%A9s_051.png 
 Preview by Yahoo
 
 
 


 


 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Those with bash installed, beware the bash env security bug

General mailing list
On 28/09/2014 10:21, [hidden email] [nslu2-general] wrote:
> Oh, I see that the images aren't loaded up. :(

The problem is that the person who committed the "upgrade" forgot to
copy patches to the sources/bash/bash-3.2-patches. I was wrong to assume
that changing the patchlevel was enough, and so was this person :)

If you change the patchlevel (we're at 054 now) *AND* copy the patches
in the right place, you get the expected results:

bash-3.2# env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() {
:;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
Bash Test
bash-3.2# bash --version
GNU bash, version 3.2.54(2)-release (x86_64-pc-linux-gnu)
Copyright (C) 2007 Free Software Foundation, Inc.
bash-3.2#

If I had commit permissions I would fix it, but I don't :)

Cheers
--
Romain
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Those with bash installed, beware the bash env security bug

General mailing list
When I have time I will take a look. I committed the update based on your
feedback.

Regards
Ovidiu Saa
 On Sep 29, 2014 12:06 PM, "Romain Rivière [hidden email]
[nslu2-general]" <[hidden email]> wrote:

>
>
> On 28/09/2014 10:21, [hidden email] [nslu2-general] wrote:
> > Oh, I see that the images aren't loaded up. :(
>
> The problem is that the person who committed the "upgrade" forgot to
> copy patches to the sources/bash/bash-3.2-patches. I was wrong to assume
> that changing the patchlevel was enough, and so was this person :)
>
> If you change the patchlevel (we're at 054 now) *AND* copy the patches
> in the right place, you get the expected results:
>
> bash-3.2# env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() {
> :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
> Bash Test
> bash-3.2# bash --version
> GNU bash, version 3.2.54(2)-release (x86_64-pc-linux-gnu)
> Copyright (C) 2007 Free Software Foundation, Inc.
> bash-3.2#
>
> If I had commit permissions I would fix it, but I don't :)
>
> Cheers
> --
> Romain
>  
>
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Those with bash installed, beware the bash env security bug

General mailing list
On 29/09/2014 18:29, Ovidiu Sas [hidden email] [nslu2-general] wrote:
> When I have time I will take a look. I committed the update based on
> your feedback.

Sorry about that, I had been too quick.
Basically it's just a matter of upping the patchlevel to 54, and copying
all remaining patches (050 to 054) from
http://ftp.gnu.org/gnu/bash/bash-3.2-patches/ to
sources/bash/bash-3.2-patches.

Cheers
--
Romain Rivière
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Those with bash installed, beware the bash env security bug

General mailing list
In reply to this post by General mailing list
Thank you! :) I can update also. [SOLVED]
Loading...