BT

Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ

Topics

Choose your language

InfoQ Homepage News Remote Code Exploitation through Bash

Remote Code Exploitation through Bash

This item in japanese

Lire ce contenu en français

In a recent security filing CVE-2014-6271, a remote exploit has been discovered that can potentially be used to execute arbitrary code on environment variables that are passed to child processes. This could include CGI scripts that are used to pass through environment variables from a web server to the child process and that is run by a bash script for vulnerable vesrions of bash. InfoQ has produced a post explaining the bug in more detail.

Debian and RedHat have provided updated binaries already and other operating system vendors are expected to follow suit shortly. Apple uses a very old version of Bash which is vulnerable to the attack and there is no word of an update from them at this stage. There is an answer at apple.stackexchange.com which gives instructions for rebuilding bash on Mac OS X systems.

The vulnerability comes from a value passed into an environment variable:

 env x='() { :;}; echo vulnerable'

The next time a /bin/bash process is launched, the code will be executed and displayed to the console. The problem stems from Bash shells failing to parse the environment variable correctly, and resulting in the code following the semicolon being executed inadvertently. CGI scripts that are launched with Bash (or /bin/sh where /bin/sh is a symlink to /bin/bash) will then execute the code trivally.

A remote attacker can use this to pass in bad content (such as a USER variable) which may be exported to a CGI script as an argument. If this is a Bash script, then full control of the machine's running process is to be expected.

More details are provided by the developer of Bash, which can be summarised:

The technical details of the vulnerability follow.
Bash supports exporting not just shell variables, but also shell.
functions to other bash instances, via the process environment to
(indirect) child processes. Current bash versions use an environment
variable named by the function name, and a function definition
starting with “() {” in the variable value to propagate function
definitions through the environment. The vulnerability occurs because
bash does not stop after processing the function definition; it
continues to parse and execute shell commands following the function
definition. For example, an environment variable setting of


i VAR=() { ignored; }; /bin/id

will execute /bin/id when the environment is imported into the bash
process. (The process is in a slightly undefined state at this point.
The PATH variable may not have been set up yet, and bash could crash
after executing /bin/id, but the damage has already happened at this
point.)

The fact that an environment variable with an arbitrary name can be
used as a carrier for a malicious function definition containing
trailing commands makes this vulnerability particularly severe; it
enables network-based exploitation

Both HTTP and SSH may be vulnerable; for example, through variables such as REMOTE_HOST and TERM respectively.

Developers and operational people who are responsible for internet facing systems should upgrade bash immediately or take steps to mitigate any attacks, which are reportedly already in process. Patches are available for the following versions of Bash:

http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-017
http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-018
http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052
http://ftp.gnu.org/pub/gnu/bash/bash-4.0-patches/bash40-039
http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-012
http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-048
http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-025

UPDATE 25 September: There is still a vulnerability (CVE-2014-7169) even after the above patches have been applied. Thanks to focus in this area, many people are looking at the code and/or fuzzing it to try and find out what else is possible. This was reported on Twitter by Tavis Ormandy and the proof of concept allows remote overwriting of files owned by that process:

 $ env X='() { (a)=>\' sh -c "echo date"; cat echo
 sh: X: line 1: syntax error near unexpected token `='
 sh: X: line 1: `'
 sh: error importing function definition for `X'
 Thu 25 Sep 2014 08:33:10 BST

Chet Ramy, the maintainer of Bash, has acknowledged the issue and provided a work-in-progress patch, but it has not been officially released on the Bash website. System adminstrators should consider the currently fixed Bash version to still be vulnerable. When an official patch is provided this post will be updated.

UPDATE 26 September: There is a proposed set of patches available on the security mailing list, which fixes CVE-2014-7169. These have now been published officially:

http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-018
http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-019
http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-053
http://ftp.gnu.org/pub/gnu/bash/bash-4.0-patches/bash40-040
http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-013
http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-049
http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-026

Most vendors have already made patched versions available for their customers:

UPDATE 29 September: There is a second set of patches available, which fixes overwrite-bash-functions flaw:

$ env ls="() { echo 'Game over'; }" bash -c ls
Game over

The patch changes the names of exported bash functions so that they begin with a BASH_FUNC environment variable, which is not likely to collide with system binaries used in scripts.

The patches have now been published officially upstream:

http://ftp.gnu.org/pub/gnu/bash/bash-3.0-patches/bash30-019
http://ftp.gnu.org/pub/gnu/bash/bash-3.1-patches/bash31-020
http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-054
http://ftp.gnu.org/pub/gnu/bash/bash-4.0-patches/bash40-041
http://ftp.gnu.org/pub/gnu/bash/bash-4.1-patches/bash41-014
http://ftp.gnu.org/pub/gnu/bash/bash-4.2-patches/bash42-050
http://ftp.gnu.org/pub/gnu/bash/bash-4.3-patches/bash43-027

Users who install bash and whose --version string matches the patch number above are safe.

And finally, Apple have released their patch to the bash problem, several days after it becaome widespread. It is a manual update (so it won't be installed by software update) and there are separate downloads for Mavericks (10.9.5), Mountain Lion (10.8.5) and Lion (10.7.5).

Rate this Article

Adoption
Style

BT