Date: Sat, 4 Oct 2014 00:21:36 +0100 From: Riot <rain.backnet@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) Correction: *Here's the original post by Linus at the tender age of 21 advertising his first build of linux on the minix newsgroup in 1991: http://i.imgur.com/1AEKJ7s.png On 4 October 2014 00:19, Riot <rain.backnet@...il.com> wrote: > I and a couple of people on IRC (special thanks to rymate1234) carried out > some code archeology of this earlier as events first unfolded. Although > commonly cited in the press as going back to bash 1.13, we confirmed the > bug exists all the way back to bash 1.05. > > We had to do some fairly obscure digging for this, because the old bash > versions are very difficult to compile on modern setups. Rather than just > statically analyse the source, we wanted to actually test various builds. > We started by building 1996 version of slackware, and got 1.12 and 1.13 > building, confirming the bug existed in 1.12 and earlier. We also found a > few binary images containing built versions of 1.12 and confirmed the bug > existed in those: http://images.rymate.co.uk/images/ihewGLM.png > > We then worked further back in time, unearthing bash 1.08.2 on an ancient > 1991 Atari ST image: http://images.rymate.co.uk/images/iwaSGPo.png This > was also vulnerable. This version is relevant because the first version of > bash ported to linux was bash 1.08 - here's the original post by Linus at > the tender age of advertising his first build of linux on the minix > newsgroup in 1991, explicitly mentioning bash 1.08. This datum told us > that shellshock is older than all of linux, which makes for a nice > soundbite for the press. > > Going back further proved very difficult because few archives including > these early versions exist anywhere, and by all accounts the early releases > were buggy and not particularly portable. We eventually managed to locate > an image for an obscure Japanese Human68k containing bash 1.05. Here it > identifies itself as bash 1.05 X6_19: > http://images.rymate.co.uk/images/kH8VnTo.png The file is dated > 12/08/1991... and of course it's vulnerable: > http://images.rymate.co.uk/images/zTYm05I.png > > That was the earliest release, either source or binary, we were able to > get hold of. We were also unable to find any documentation or even casual > mention of any version between 0.99 and 1.05, and one of few mentions of > bash 0.99 is the 1989 release announcement by Brian Fox, the original > developer, at the gnu.announce newsgroup: > https://groups.google.com/forum/#!topic/gnu.announce/hvhlR1Vn1P0 This > was announced as a beta, and we've been unable to find any mention of any > earlier version. The path to look for is /u2/emacs/bash-0.99.tar.Z but > we've been unable to locate this in any archives, and at this point > consider it lost - please do keep an eye out for this file! > > If anyone has a way of contacting Brian Fox, he might just have an old > archive of ancient versions of bash banging around which could put the > question to rest once and for all - at which point exactly was shellshock > introduced. But so far, all indications lead to the implication that the > bug has been in bash since its very inception in the late 80s, and before > it was ever released to the public. > > Regards, > Riot > > P.S. If any of you publish any of this information, please let me know :) > > On 3 October 2014 23:17, Kobrin, Eric <ekobrin@...mai.com> wrote: > >> On Oct 3, 2014, at 5:30 PM, Stephane Chazelas < >> stephane.chazelas@...il.com> wrote: >> >> > Sorry, I said in the other email that it was not in 1.12. That's >> > my memory failing. I remember checking that it was not in 1.05 >> > and it was, which is even more than my memory failing. Chet did >> > tell me that it was added in 1.13 though. I've now found 1.12 >> > ( >> ftp://ftp.it.xemacs.org/%7BD/unix/packages/NCSA/DEC_Alpha/bash-1.12.tar.Z >> ) >> >> No worries. >> >> The version I used was at: >> http://www.oldlinux.org/Linux.old/bin/old/bash-1.05/variables.c >> Full tar: http://www.oldlinux.org/Linux.old/bin/old/bash-1.05.tar >> >> Brian Fox even wrote a UseNet post advertising the feature on September >> 8th, 1989 -- just over 25 years before you showed the rest of us that it >> was a vulnerability in disguise: >> >> https://groups.google.com/d/msg/gnu.bash.bug/72jXoIWYsfE/jJqC-fjSh0wJ >> >> If anyone has a copy of bash-1.02 or bash-1.03, I'd love to see it. It >> should be floating around some of the old NeXT archives. >> >> -- Eric Kobrin >> >> >> >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ