Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date:  Fri, 26 Sep 2014 09:54:40 +0100
From: "Mark R Bannister" <mark@...seconsulting.co.uk>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability)

Testing patch 25 and 26 from Chet, it looks to me like this is still an incomplete fix.  The third vulnerability I'd like to report is the feature itself in bash that allows functions to be passed in the environment, e.g.
$ env ls='() { echo vulnerable; }' bash -c ls

This allows an attacker to replace a command used by a bash script with arbitrary code.  It is then down to an attacker to find a suitable command that the bash script (or any child shells) might call without a path component.

I can't see this being a problem for Apache custom headers (the variable name is turned to uppercase and prefixed by HTTP_), nor sudo commands if env_reset is on (the default), but this continues to be a major vulnerability for setuid/setgid scripts (S_ISUID or S_ISGID) where the environment is preserved.

One might say that importing functions from the environment is a feature, not a bug, and that the security of setuid/setgid has long been questioned.  However, folk rely on it nonetheless, and bash makes it exceptionally easy to exploit.  I've demonstrated a root exploit this morning using this vulnerability with the latest bash source code and patches. 

Prior to Chet's patches I could also do:

$ env /bin/ls='() { echo vulnerable; }' bash -c /bin/ls

... but with patch 25 this permutation is disallowed.

I'm not sure what the answer should be here.  Remove the feature from bash and live with the few programs that break?  Patch every OS to clear the environment on setuid/setgid and live with a few other programs that might break?  Tell everyone to stop using setuid/setgid now and forever?

Any other suggestions ... ?

Best regards,
Mark R. Bannister.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.