LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-26-2014, 01:36 PM   #61
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 & 7
Posts: 3,209

Rep: Reputation: 871Reputation: 871Reputation: 871Reputation: 871Reputation: 871Reputation: 871Reputation: 871

A catastrophic exploit giving root access to a malicious DHCP server has been demonstrated:

https://www.trustedsec.com/september...proof-concept/

Has anyone heard of any Android mobile devices that use a vulnerable bash?
 
Old 09-26-2014, 02:12 PM   #62
szboardstretcher
Senior Member
 
Registered: Aug 2006
Location: Detroit, MI
Distribution: GNU/Linux systemd
Posts: 4,237

Rep: Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651Reputation: 1651
selinux will not save you from shellshock

explanation and demonstration here:

http://www.reddit.com/r/netsec/comme..._through_bash/
 
Old 09-26-2014, 02:16 PM   #63
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
Quote:
Originally Posted by smallpond View Post
A catastrophic exploit giving root access to a malicious DHCP server has been demonstrated:

https://www.trustedsec.com/september...proof-concept/

Has anyone heard of any Android mobile devices that use a vulnerable bash?
as expected right. if anything uses the bad bash to do its thing, then it is susceptible to code injection. however, i do not think you can get priv escalation here as bash was called by a specific uid. feel free to correct me if i am wrong.

i dont think Android on mobile devices is an issue......
 
Old 09-26-2014, 02:22 PM   #64
smallpond
Senior Member
 
Registered: Feb 2011
Location: Massachusetts, USA
Distribution: CentOS 6 & 7
Posts: 3,209

Rep: Reputation: 871Reputation: 871Reputation: 871Reputation: 871Reputation: 871Reputation: 871Reputation: 871
Quote:
Originally Posted by Linux_Kidd View Post
as expected right. if anything uses the bad bash to do its thing, then it is susceptible to code injection. however, i do not think you can get priv escalation here as bash was called by a specific uid. feel free to correct me if i am wrong.

i dont think Android on mobile devices is an issue......
DHCP clients run the dhclient script as root.
 
Old 09-26-2014, 02:46 PM   #65
Linux_Kidd
Member
 
Registered: Jan 2006
Location: USA
Posts: 593

Rep: Reputation: 62
Quote:
Originally Posted by smallpond View Post
DHCP clients run the dhclient script as root.
UID=102 does a manual DHCP renew, this method will call the dhclient script as UID=0 ??

Last edited by Linux_Kidd; 09-26-2014 at 11:08 PM.
 
Old 09-26-2014, 05:46 PM   #66
Reuti
Senior Member
 
Registered: Dec 2004
Location: Marburg, Germany
Distribution: openSUSE 15.0
Posts: 1,336

Rep: Reputation: 255Reputation: 255Reputation: 255
Re: Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - Shell shock patching?

Isn’t the issue even pointing to to avoid importing shell functions in general if the executed shell runs under a different uid than the one initiating the execution? I mean:
Code:
$ x='() { :;}; echo huch' bash -c "echo foo"
huch
foo
$ x='() { :;}; echo huch' bash -pc "echo foo"
foo
Originally I started to use -p to turn on privileged mode to avoid getting any redefined shell builtins from the user like:
Code:
$ cd="() { echo huch;}" bash -c "cd"
huch
$ cd="() { echo huch;}" bash -pc "cd"

Last edited by unSpawn; 09-27-2014 at 10:53 AM. Reason: //Pre-merge subject linking
 
Old 09-26-2014, 07:23 PM   #67
suicidaleggroll
LQ Guru
 
Registered: Nov 2010
Location: Colorado
Distribution: OpenSUSE, CentOS
Posts: 5,573

Rep: Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134Reputation: 2134
For all you guys running unsupported distros, patch #026 has been posted on the main bash server, correcting the second bug:
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/

You can download and build the whole set with:
Code:
mkdir patched_bash
cd patched_bash
wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
tar xaf bash-4.3.tar.gz
cd bash-4.3
for i in {001..026}; do
  curl http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i | patch -p0
done
./configure && make
When it's done, you'll have the patched bash executable at patched_bash/bash-4.3/bash
You can then replace /bin/bash with it, or if you like you can keep the old one and symlink this one in it's place:

as root:
Code:
cp -a /bin/bash /bin/bash.old
cp -a patched_bash/bash-4.3/bash /bin/bash.patched
ln -sf /bin/bash.patched /bin/bash

Last edited by suicidaleggroll; 09-26-2014 at 07:28 PM.
 
Old 09-27-2014, 02:31 AM   #68
jross
Member
 
Registered: Apr 2014
Distribution: Xubuntu 14.04
Posts: 164

Rep: Reputation: Disabled
Risk to Paste Commands Into Terminal?

I was watching a video where someone was discussing the Shellshock bug and copied the "test" code from an article and then pasted it in the terminal to see the result. In the comments someone made the following statement:

"You shouldn't paste commands directly into the terminal because there's an HTML trick that lets you hide text so as soon as you paste it a malicious command will be executed"

Does anyone agree with this?
 
Old 09-27-2014, 03:38 AM   #69
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by szboardstretcher View Post
selinux will not save you from shellshock
Personally I don't care much for thread titles that only tell half of the story. Of all that's written in that particular thread the most important piece of SELinux-related information is here: https://danwalsh.livejournal.com/71122.html as it clearly explains SELinux still protects against quite a lot compared to machines not running it. That doesn't detract from the fact that no LSM is a catch all, that security (in the sense of hardening, auditing, adjusting) is a continuous process and that this bug again shows Linus's Law has flaws itself.
 
Old 09-27-2014, 03:44 AM   #70
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,409
Blog Entries: 55

Rep: Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582Reputation: 3582
Quote:
Originally Posted by jross View Post
I was watching a video where someone was discussing the Shellshock bug and copied the "test" code from an article and then pasted it in the terminal to see the result. In the comments someone made the following statement:

"You shouldn't paste commands directly into the terminal because there's an HTML trick that lets you hide text so as soon as you paste it a malicious command will be executed"

Does anyone agree with this?
The essence is nobody (and no information) can (or should) be trusted by default and without proper examination of what such commands do.
You are responsible for what you execute on the systems you're responsible for: you are your own "trigger finger".
 
Old 09-27-2014, 02:34 PM   #71
taikedz
LQ Newbie
 
Registered: Jan 2014
Location: Scotland
Distribution: Manjaro, CentOS, OS X
Posts: 7

Rep: Reputation: Disabled
Institutionalized injection

Quote:
Originally Posted by suicidaleggroll View Post
What I don't get is why the the bash developers EVER thought it would be a remotely good/safe idea to pull in function declarations from environment variables in the first place.

...

I still don't like the notion of cgi setting http headers as environment variables, and then bash turning environment variables into functions though.
I second this - but I still don't understand why parsing to allow function definitions in env variables is suported at all - it just screams of injection!

Ars seems to be on the right track, it'd probably just be safer to turn off the parsing (if such a bash variant already exists please tell me where!) http://arstechnica.com/security/2014...-whack-a-mole/

If anything relies on the "feature" we'll soon find out... and demand fixes.
 
Old 09-28-2014, 07:06 PM   #72
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and CentOS
Posts: 6,006

Rep: Reputation: 1390Reputation: 1390Reputation: 1390Reputation: 1390Reputation: 1390Reputation: 1390Reputation: 1390Reputation: 1390Reputation: 1390Reputation: 1390
Hi,
Quote:
Originally Posted by jross View Post
Does anyone agree with this?
The main point is that you may be cutting and pasting text that is not actually visible in the browser. For this reason you should first paste it somewhere safe like a buffer in a text editor to examine it before you run it in your terminal.

Evo2.
 
1 members found this post helpful.
Old 09-28-2014, 08:24 PM   #73
widget
Senior Member
 
Registered: Oct 2008
Location: S.E. Montana
Distribution: Debian Testing, Stable, Sid and Manjaro, Mageia 3, LMDE
Posts: 2,628

Rep: Reputation: 496Reputation: 496Reputation: 496Reputation: 496Reputation: 496
Quote:
Originally Posted by evo2 View Post
Hi,

The main point is that you may be cutting and pasting text that is not actually visible in the browser. For this reason you should first paste it somewhere safe like a buffer in a text editor to examine it before you run it in your terminal.

Evo2.
The real question here is; Doesn't every one do it this way?
 
Old 09-28-2014, 08:42 PM   #74
evo2
LQ Guru
 
Registered: Jan 2009
Location: Japan
Distribution: Mostly Debian and CentOS
Posts: 6,006

Rep: Reputation: 1390Reputation: 1390Reputation: 1390Reputation: 1390Reputation: 1390Reputation: 1390Reputation: 1390Reputation: 1390Reputation: 1390Reputation: 1390
Hi,
Quote:
Originally Posted by widget View Post
The real question here is; Doesn't every one do it this way?
in a perfect world...

Evo2.
 
Old 09-29-2014, 01:25 AM   #75
ilesterg
Member
 
Registered: Jul 2012
Location: Kuala Lumpur
Distribution: Debian, CentOS/RHEL
Posts: 582

Rep: Reputation: 61
For Oracle customers out there, as usual, Oracle is late in sending advisories on huge security issues. I have received this last Saturday.
 
  


Reply

Tags
bash, vulnerability


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: Shellshock update: bash packages that resolve CVE-2014-6271 and CVE-2014-7169 available LXer Syndicated Linux News 1 09-26-2014 01:43 PM
Bash "shellshock" CVE-2014-6271 CVE-2014-7169 - legacy system patch help Diggy Linux - Security 3 09-26-2014 01:06 PM
LXer: Flaw CVE-2014-6271 discovered in the Bash shell — update your Fedora systems LXer Syndicated Linux News 0 09-25-2014 04:41 AM
[SOLVED] CVE-2014-0224 vulnerability joraymasalvan Linux - Newbie 3 06-18-2014 08:26 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:31 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration