Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 4 Oct 2014 00:19:06 +0100
From: Riot <rain.backnet@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Shellshock timeline (was: CVE-2014-6271: remote
 code execution through bash)

I and a couple of people on IRC (special thanks to rymate1234) carried out
some code archeology of this earlier as events first unfolded.  Although
commonly cited in the press as going back to bash 1.13, we confirmed the
bug exists all the way back to bash 1.05.

We had to do some fairly obscure digging for this, because the old bash
versions are very difficult to compile on modern setups.  Rather than just
statically analyse the source, we wanted to actually test various builds.
We started by building 1996 version of slackware, and got 1.12 and 1.13
building, confirming the bug existed in 1.12 and earlier.  We also found a
few binary images containing built versions of 1.12 and confirmed the bug
existed in those: http://images.rymate.co.uk/images/ihewGLM.png

We then worked further back in time, unearthing bash 1.08.2 on an ancient
1991 Atari ST image: http://images.rymate.co.uk/images/iwaSGPo.png  This
was also vulnerable.  This version is relevant because the first version of
bash ported to linux was bash 1.08 - here's the original post by Linus at
the tender age of  advertising his first build of linux on the minix
newsgroup in 1991, explicitly mentioning bash 1.08.  This datum told us
that shellshock is older than all of linux, which makes for a nice
soundbite for the press.

Going back further proved very difficult because few archives including
these early versions exist anywhere, and by all accounts the early releases
were buggy and not particularly portable.  We eventually managed to locate
an image for an obscure Japanese Human68k containing bash 1.05.  Here it
identifies itself as bash 1.05 X6_19:
http://images.rymate.co.uk/images/kH8VnTo.png  The file is dated
12/08/1991... and of course it's vulnerable:
http://images.rymate.co.uk/images/zTYm05I.png

That was the earliest release, either source or binary, we were able to get
hold of.  We were also unable to find any documentation or even casual
mention of any version between 0.99 and 1.05, and one of few mentions of
bash 0.99 is the 1989 release announcement by Brian Fox, the original
developer, at the gnu.announce newsgroup:
https://groups.google.com/forum/#!topic/gnu.announce/hvhlR1Vn1P0  This was
announced as a beta, and we've been unable to find any mention of any
earlier version.  The path to look for is /u2/emacs/bash-0.99.tar.Z but
we've been unable to locate this in any archives, and at this point
consider it lost - please do keep an eye out for this file!

If anyone has a way of contacting Brian Fox, he might just have an old
archive of ancient versions of bash banging around which could put the
question to rest once and for all - at which point exactly was shellshock
introduced.  But so far, all indications lead to the implication that the
bug has been in bash since its very inception in the late 80s, and before
it was ever released to the public.

Regards,
Riot

P.S. If any of you publish any of this information, please let me know :)

On 3 October 2014 23:17, Kobrin, Eric <ekobrin@...mai.com> wrote:

> On Oct 3, 2014, at 5:30 PM, Stephane Chazelas <stephane.chazelas@...il.com>
> wrote:
>
> > Sorry, I said in the other email that it was not in 1.12. That's
> > my memory failing. I remember checking that it was not in 1.05
> > and it was, which is even more than my memory failing. Chet did
> > tell me that it was added in 1.13 though. I've now found 1.12
> > (
> ftp://ftp.it.xemacs.org/%7BD/unix/packages/NCSA/DEC_Alpha/bash-1.12.tar.Z)
>
> No worries.
>
> The version I used was at:
> http://www.oldlinux.org/Linux.old/bin/old/bash-1.05/variables.c
> Full tar: http://www.oldlinux.org/Linux.old/bin/old/bash-1.05.tar
>
> Brian Fox even wrote a UseNet post advertising the feature on September
> 8th, 1989 -- just over 25 years before you showed the rest of us that it
> was a vulnerability in disguise:
>
> https://groups.google.com/d/msg/gnu.bash.bug/72jXoIWYsfE/jJqC-fjSh0wJ
>
> If anyone has a copy of bash-1.02 or bash-1.03, I'd love to see it. It
> should be floating around some of the old NeXT archives.
>
> -- Eric Kobrin
>
>
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.