LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-25-2014, 12:06 PM   #16
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,237

Rep: Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651

That looks like the patched version (3.2-33.el5.1)

https://rhn.redhat.com/errata/RHSA-2014-1293.html

Once installed you can read about the patch with:

Code:
rpm -q --changelog bash | head

Last edited by szboardstretcher; 09-25-2014 at 06:45 PM.
 
Old 09-25-2014, 12:12 PM   #17
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134
Alright then I'm pretty sure mine are fine, the shell scripts are run using exec in mod_php, no cgi is involved, so as far as I understand it an attacker has no way of passing an environment variable through to the shell.
 
Old 09-25-2014, 12:15 PM   #18
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,237

Rep: Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651
Correct:

Quote:
PHP scripts executed with mod_php are not affected even if they spawn subshells.
https://securityblog.redhat.com/2014...ection-attack/
 
2 members found this post helpful.
Old 09-25-2014, 12:46 PM   #19
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 13,020

Rep: Reputation: 3748Reputation: 3748Reputation: 3748Reputation: 3748Reputation: 3748Reputation: 3748Reputation: 3748Reputation: 3748Reputation: 3748Reputation: 3748Reputation: 3748
Re: Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Shell shock patching?

I've posted a note to the Linux - News forum (and a couple other places). A sticky in Linux - Security may be in order, but I'm not sure a site wide notice is needed at this time.

--jeremy

Last edited by unSpawn; 09-27-2014 at 10:52 AM. Reason: //Pre-merge subject linking
 
Old 09-25-2014, 01:24 PM   #20
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134
What I don't get is why the the bash developers EVER thought it would be a remotely good/safe idea to pull in function declarations from environment variables in the first place.

Even after this bug is fixed (which apparently it isn't yet), this is still a vulnerability in bash IMO.

Take the following code, running on a patched system, setting an environment variable to replace a standard Linux command with custom code:
Code:
$ env ls='() { echo this is a fake ls; }' bash -c "ls"
this is a fake ls
If an attacker puts that "ls" function declaration in an environment variable through cgi, they've effectively just replaced the "ls" command with their own code. They could replace ls, cd, read, even echo with custom code.
Code:
$ ls
$ env echo='() { touch file; }' bash -c "echo 5"
$ ls
file
Shellshock is a problem, bash should not execute commands after the function declaration, but why is this even a feature in the first place??? Even after shellshock is fixed, this "feature" just seems like a major security problem to me.


edit: apparently cgi prefixes any environment variables before setting them for the shell, so it's not as bad as I had feared. I still don't like the notion of cgi setting http headers as environment variables, and then bash turning environment variables into functions though.

Last edited by suicidaleggroll; 09-25-2014 at 03:00 PM.
 
2 members found this post helpful.
Old 09-25-2014, 03:35 PM   #21
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
ShellShock

my centOS 6 repos dont even show the fix as available, what gives?

can we wrap bash to mitigate the issue ?
 
Old 09-25-2014, 03:39 PM   #22
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
Quote:
Originally Posted by tux100 View Post
rpm -qa |grep bash says RHEL 5.8 bash-3.2-32.el5

yum update bash will upgrade bash to 3.2-33. << Pretty sure this is not a patched bash.

==================================================================================
Package Arch Version Repository Size
==================================================================================
Updating:
bash x86_64 3.2-33.el5.1 rhel-x86_64-server-5 1.8 M
see https://access.redhat.com/articles/1200223

i am wondering why the repos dont have the fixed package yet.

Last edited by Linux_Kidd; 09-25-2014 at 03:41 PM.
 
Old 09-25-2014, 04:02 PM   #23
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
Quote:
Originally Posted by suicidaleggroll View Post
What I don't get is why the the bash developers EVER thought it would be a remotely good/safe idea to pull in function declarations from environment variables in the first place.

Even after this bug is fixed (which apparently it isn't yet), this is still a vulnerability in bash IMO.

Take the following code, running on a patched system, setting an environment variable to replace a standard Linux command with custom code:
Code:
$ env ls='() { echo this is a fake ls; }' bash -c "ls"
this is a fake ls
what bash package exactly was installed as the "fix"?
 
Old 09-25-2014, 04:08 PM   #24
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134
Quote:
Originally Posted by Linux_Kidd View Post
what bash package exactly was installed as the "fix"?
I'm not sure what you're asking. Bash doesn't have packages, bash is the package. The initial fix for shellshock is right here:
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025

It's not complete, but it takes care of the primary vulnerability. Even once bash is fixed completely, attackers will still be able to define custom functions in any resulting bash shell by manipulating the environment though, which makes me uneasy.
 
Old 09-25-2014, 04:11 PM   #25
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
Quote:
Originally Posted by suicidaleggroll View Post
I'm not sure what you're asking. Bash doesn't have packages, bash is the package. The initial fix for shellshock is right here:
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025

It's not complete, but it takes care of the primary vulnerability. Even once bash is fixed completely, attackers will still be able to define custom functions in any resulting bash shell by manipulating the environment though, which makes me uneasy.
what bash package exactly? the CentOS repo shows an available bash package, but one that is listed as vulnerable by RedHat.

the link shows c files from 12Sep and 14Sep, looks like it wasnt fixed yet at that time, or am i missing something? thus we are still waiting on a fix to handle the complete issue?

Last edited by Linux_Kidd; 09-25-2014 at 04:15 PM.
 
Old 09-25-2014, 04:17 PM   #26
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134
CentOS back-ports security updates. So even though the bash version is "vulnerable" according to the reports, the shellshock fix has been back-ported to take care of the problem.

If you run
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
before and after running the yum update, you'll see that it takes care of the problem.

This vulnerability still hasn't been fixed though:
Code:
env X='() { (a)=>\' bash -c "echo date"; cat echo

Last edited by suicidaleggroll; 09-26-2014 at 12:06 PM.
 
Old 09-25-2014, 04:20 PM   #27
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
oddly, bash-4.1.2-15.el6_5.1.i686 is listed in my CentOS repo but not as a security fix !! yum check-update --security , no packages available.
but bash-4.1.2-15.el6_5.1.i686 is listed on RH site as vulnerable, so i guess the fix was bad and we are still waiting ??
 
Old 09-25-2014, 04:24 PM   #28
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134
4.1.2-15.el6_5.1 does have the fix for vulnerability #1, that's the version installed on my CentOS 6.5 systems:
Code:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
 
Old 09-25-2014, 04:29 PM   #29
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
Quote:
Originally Posted by suicidaleggroll View Post
4.1.2-15.el6_5.1 does have the fix for vulnerability #1, that's the version installed on my CentOS 6.5 systems:
Code:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
even after this ver of bash, still same issue, arbitrary code execution, no?
 
Old 09-25-2014, 04:39 PM   #30
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
Quote:
Originally Posted by suicidaleggroll View Post
CentOS back-ports security updates. So even though the bash version is "vulnerable" according to the reports, the shellshock fix has been back-ported to take care of the problem.

If you run
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
before and after running the yum update, you'll see that it takes care of the problem.

This vulnerability still hasn't been fixed though:
Code:
env X='() { (a)=>\' sh -c "echo date"; cat echo
i run the 1st one after yum update bash, my bash is now bash-4.1.2-15.el6_5.1.i686, still same issue, i get "this is a test" returned to me.

the 2nd command, i get X syntax error, error importing function, etc

perhaps you have the two backwards ??
verified with rpm -qf /bin/bash

Last edited by Linux_Kidd; 09-25-2014 at 05:26 PM.
 
  


Reply

Tags
bash, vulnerability


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Shellshock update: bash packages that resolve CVE-2014-6271 and CVE-2014-7169 available LXer Syndicated Linux News 1 09-26-2014 01:43 PM
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - legacy system patch help Diggy Linux - Security 3 09-26-2014 01:06 PM
LXer: Flaw CVE-2014-6271 discovered in the Bash shell — update your Fedora systems LXer Syndicated Linux News 0 09-25-2014 04:41 AM
[SOLVED] CVE-2014-0224 vulnerability joraymasalvan Linux - Newbie 3 06-18-2014 08:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:50 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration