Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 25 Sep 2014 20:05:33 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: chet.ramey@...e.edu
Subject: Re: CVE-2014-6271: remote code execution through bash

On Thu, Sep 25, 2014 at 04:17:31PM +0100, John Haxby wrote:
> There seems to be a wider issue even when we have well-formed functions
> coming in, for example,
> 
>     env rm='() { echo will not; }' bash -c 'rm core'

John first brought this aspect up on the private distros list, but I
asked for it to be moved to oss-security, which John did (thanks!)

My reply on distros was:

| It appears that right now we're only dealing with the case when the
| attacker can't specify arbitrary env var names.  Attacks are limited in
| that way if performed e.g. via/on sshd forced command or httpd CGI
| interface.
| 
| With an arbitrary env var, you could arguably do lots of damage anyway -
| e.g., via LD_PRELOAD.  However, I think there are notable exceptions to
| this - e.g., when a sudo-like program or/and libc resets the known
| variables like LD_*, but does not use a whitelist, so things like a
| variable named "rm" (or BASH_FUNC_rm() after Florian's patch) would
| make it through a SUID exec, switching of privs to another user, and  
| exec'ing a script.  So, yes, there may be an issue here for some setups
| that are risky but are not necessarily exploitable otherwise.
| 
| I don't know if there's any plan to deal with this issue.  We really
| ought to discuss it on oss-security.

> My feeling is that if you're going to import functions from the
> environment then you should do that explicitly either through a switch
> (--import?) or a builtin that can import all or selected functions.  Or
> both.

While your specific examples are not necessarily relevant, I agree that
in the long run the functionality should be restricted in a way like you
suggest.

> I worry that simply fixing CVE-2014-6271 and CVE-2014-7129 is just
> setting the scene for the next parser problem.

That's my feeling too.

At the very least, we also need Florian's patch adding a prefix and a
suffix to the variable names, although this won't be sufficient against
local attacks via existing blacklist-using sudo-like wrappers.

Our excuse is that blacklists are not a good practice anyway.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.