Date: Sat, 4 Oct 2014 00:19:06 +0100 From: Riot <rain.backnet@...il.com> To: oss-security@...ts.openwall.com Subject: Re: Shellshock timeline (was: CVE-2014-6271: remote code execution through bash) I and a couple of people on IRC (special thanks to rymate1234) carried out some code archeology of this earlier as events first unfolded. Although commonly cited in the press as going back to bash 1.13, we confirmed the bug exists all the way back to bash 1.05. We had to do some fairly obscure digging for this, because the old bash versions are very difficult to compile on modern setups. Rather than just statically analyse the source, we wanted to actually test various builds. We started by building 1996 version of slackware, and got 1.12 and 1.13 building, confirming the bug existed in 1.12 and earlier. We also found a few binary images containing built versions of 1.12 and confirmed the bug existed in those: http://images.rymate.co.uk/images/ihewGLM.png We then worked further back in time, unearthing bash 1.08.2 on an ancient 1991 Atari ST image: http://images.rymate.co.uk/images/iwaSGPo.png This was also vulnerable. This version is relevant because the first version of bash ported to linux was bash 1.08 - here's the original post by Linus at the tender age of advertising his first build of linux on the minix newsgroup in 1991, explicitly mentioning bash 1.08. This datum told us that shellshock is older than all of linux, which makes for a nice soundbite for the press. Going back further proved very difficult because few archives including these early versions exist anywhere, and by all accounts the early releases were buggy and not particularly portable. We eventually managed to locate an image for an obscure Japanese Human68k containing bash 1.05. Here it identifies itself as bash 1.05 X6_19: http://images.rymate.co.uk/images/kH8VnTo.png The file is dated 12/08/1991... and of course it's vulnerable: http://images.rymate.co.uk/images/zTYm05I.png That was the earliest release, either source or binary, we were able to get hold of. We were also unable to find any documentation or even casual mention of any version between 0.99 and 1.05, and one of few mentions of bash 0.99 is the 1989 release announcement by Brian Fox, the original developer, at the gnu.announce newsgroup: https://groups.google.com/forum/#!topic/gnu.announce/hvhlR1Vn1P0 This was announced as a beta, and we've been unable to find any mention of any earlier version. The path to look for is /u2/emacs/bash-0.99.tar.Z but we've been unable to locate this in any archives, and at this point consider it lost - please do keep an eye out for this file! If anyone has a way of contacting Brian Fox, he might just have an old archive of ancient versions of bash banging around which could put the question to rest once and for all - at which point exactly was shellshock introduced. But so far, all indications lead to the implication that the bug has been in bash since its very inception in the late 80s, and before it was ever released to the public. Regards, Riot P.S. If any of you publish any of this information, please let me know :) On 3 October 2014 23:17, Kobrin, Eric <ekobrin@...mai.com> wrote: > On Oct 3, 2014, at 5:30 PM, Stephane Chazelas <stephane.chazelas@...il.com> > wrote: > > > Sorry, I said in the other email that it was not in 1.12. That's > > my memory failing. I remember checking that it was not in 1.05 > > and it was, which is even more than my memory failing. Chet did > > tell me that it was added in 1.13 though. I've now found 1.12 > > ( > ftp://ftp.it.xemacs.org/%7BD/unix/packages/NCSA/DEC_Alpha/bash-1.12.tar.Z) > > No worries. > > The version I used was at: > http://www.oldlinux.org/Linux.old/bin/old/bash-1.05/variables.c > Full tar: http://www.oldlinux.org/Linux.old/bin/old/bash-1.05.tar > > Brian Fox even wrote a UseNet post advertising the feature on September > 8th, 1989 -- just over 25 years before you showed the rest of us that it > was a vulnerability in disguise: > > https://groups.google.com/d/msg/gnu.bash.bug/72jXoIWYsfE/jJqC-fjSh0wJ > > If anyone has a copy of bash-1.02 or bash-1.03, I'd love to see it. It > should be floating around some of the old NeXT archives. > > -- Eric Kobrin > > >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.