Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Alright then I'm pretty sure mine are fine, the shell scripts are run using exec in mod_php, no cgi is involved, so as far as I understand it an attacker has no way of passing an environment variable through to the shell.
I've posted a note to the Linux - News forum (and a couple other places). A sticky in Linux - Security may be in order, but I'm not sure a site wide notice is needed at this time.
--jeremy
Last edited by unSpawn; 09-27-2014 at 10:52 AM.
Reason: //Pre-merge subject linking
What I don't get is why the the bash developers EVER thought it would be a remotely good/safe idea to pull in function declarations from environment variables in the first place.
Even after this bug is fixed (which apparently it isn't yet), this is still a vulnerability in bash IMO.
Take the following code, running on a patched system, setting an environment variable to replace a standard Linux command with custom code:
Code:
$ env ls='() { echo this is a fake ls; }' bash -c "ls"
this is a fake ls
If an attacker puts that "ls" function declaration in an environment variable through cgi, they've effectively just replaced the "ls" command with their own code. They could replace ls, cd, read, even echo with custom code.
Code:
$ ls
$ env echo='() { touch file; }' bash -c "echo 5"
$ ls
file
Shellshock is a problem, bash should not execute commands after the function declaration, but why is this even a feature in the first place??? Even after shellshock is fixed, this "feature" just seems like a major security problem to me.
edit: apparently cgi prefixes any environment variables before setting them for the shell, so it's not as bad as I had feared. I still don't like the notion of cgi setting http headers as environment variables, and then bash turning environment variables into functions though.
Last edited by suicidaleggroll; 09-25-2014 at 03:00 PM.
What I don't get is why the the bash developers EVER thought it would be a remotely good/safe idea to pull in function declarations from environment variables in the first place.
Even after this bug is fixed (which apparently it isn't yet), this is still a vulnerability in bash IMO.
Take the following code, running on a patched system, setting an environment variable to replace a standard Linux command with custom code:
Code:
$ env ls='() { echo this is a fake ls; }' bash -c "ls"
this is a fake ls
what bash package exactly was installed as the "fix"?
It's not complete, but it takes care of the primary vulnerability. Even once bash is fixed completely, attackers will still be able to define custom functions in any resulting bash shell by manipulating the environment though, which makes me uneasy.
It's not complete, but it takes care of the primary vulnerability. Even once bash is fixed completely, attackers will still be able to define custom functions in any resulting bash shell by manipulating the environment though, which makes me uneasy.
what bash package exactly? the CentOS repo shows an available bash package, but one that is listed as vulnerable by RedHat.
the link shows c files from 12Sep and 14Sep, looks like it wasnt fixed yet at that time, or am i missing something? thus we are still waiting on a fix to handle the complete issue?
Last edited by Linux_Kidd; 09-25-2014 at 04:15 PM.
CentOS back-ports security updates. So even though the bash version is "vulnerable" according to the reports, the shellshock fix has been back-ported to take care of the problem.
If you run
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
before and after running the yum update, you'll see that it takes care of the problem.
This vulnerability still hasn't been fixed though:
Code:
env X='() { (a)=>\' bash -c "echo date"; cat echo
Last edited by suicidaleggroll; 09-26-2014 at 12:06 PM.
oddly, bash-4.1.2-15.el6_5.1.i686 is listed in my CentOS repo but not as a security fix !! yum check-update --security , no packages available.
but bash-4.1.2-15.el6_5.1.i686 is listed on RH site as vulnerable, so i guess the fix was bad and we are still waiting ??
4.1.2-15.el6_5.1 does have the fix for vulnerability #1, that's the version installed on my CentOS 6.5 systems:
Code:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
4.1.2-15.el6_5.1 does have the fix for vulnerability #1, that's the version installed on my CentOS 6.5 systems:
Code:
$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
even after this ver of bash, still same issue, arbitrary code execution, no?
CentOS back-ports security updates. So even though the bash version is "vulnerable" according to the reports, the shellshock fix has been back-ported to take care of the problem.
If you run
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
before and after running the yum update, you'll see that it takes care of the problem.
This vulnerability still hasn't been fixed though:
Code:
env X='() { (a)=>\' sh -c "echo date"; cat echo
i run the 1st one after yum update bash, my bash is now bash-4.1.2-15.el6_5.1.i686, still same issue, i get "this is a test" returned to me.
the 2nd command, i get X syntax error, error importing function, etc
perhaps you have the two backwards ??
verified with rpm -qf /bin/bash
Last edited by Linux_Kidd; 09-25-2014 at 05:26 PM.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
