SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   GNU bash Vendors:   GNU [multiple authors]
GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
SecurityTracker Alert ID:  1030890
SecurityTracker URL:  http://securitytracker.com/id/1030890
CVE Reference:   CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187   (Links to External Site)
Updated:  Oct 7 2014
Original Entry Date:  Sep 24 2014
Impact:   Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): 4.3
Description:   Several vulnerabilities were reported in GNU bash. A user can execute arbitrary code on the target system.

The software does not properly process environment variables.

A user can supply a specially crafted value that includes a bash function followed by additional code that, when processed by bash, will execute the additional code [CVE-2014-6271]. This vulnerability is known as "Shellshock".

Stephane Chazelas reported this vulnerability.

An initial fix for CVE-2014-6271 did not properly fix this flaw [CVE-2014-7169].

A user can supply a specially crafted value to trigger an out-of-bounds memory access in redir_stack() and potentially execute arbitrary code [CVE-2014-7186].

Florian Weimer of Red Hat Product Security reported this vulnerability.

A user can supply specially crafted, deeply nested flow control constructs to trigger an off-by-one error and potentially execute arbitrary code [CVE-2014-7187].

Florian Weimer of Red Hat Product Security reported this vulnerability.

A user can supply specially crafted data to access uninitialized memory and overwrite a pointer to potentially execute arbitrary code [CVE-2014-6277].

A user can supply specially crafted data to execute arbitrary code [CVE-2014-6278].

Michal Zalewski reported these vulnerabilities.

On a system with an application that passes data from a remote or remote authenticated user to bash, a remote or remote authenticated user may be able to exploit these vulnerabilities to execute arbitrary code.

Some common system application configurations are affected.

Demonstration exploit code is available.

This vulnerability is being actively exploited.

Impact:   A user can execute arbitrary code on the target system. In some application configurations, a remote user may be able to exploit this.
Solution:   The vendor issued a patch for CVE-2014-6271, available at:

http://ftp.gnu.org/gnu/bash/bash-2.05b-patches/bash205b-008
http://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-017
http://ftp.gnu.org/gnu/bash/bash-3.1-patches/bash31-018
http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-052
http://ftp.gnu.org/gnu/bash/bash-4.0-patches/bash40-039
http://ftp.gnu.org/gnu/bash/bash-4.1-patches/bash41-012
http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-048
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025

The vendor issued a patch for CVE-2014-7169, available at:

http://ftp.gnu.org/gnu/bash/bash-2.05b-patches/bash205b-009
http://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-018
http://ftp.gnu.org/gnu/bash/bash-3.1-patches/bash31-019
http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-053
http://ftp.gnu.org/gnu/bash/bash-4.0-patches/bash40-040
http://ftp.gnu.org/gnu/bash/bash-4.1-patches/bash41-013
http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-049
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026

On September 28, 2014 [UTC], the vendor issued an additional fix that adds encoding to exported functions to prevent them from being interpreted as a shell function and parsed. This fix prevents CVE-2014-6277, CVE-2014-6278, CVE-2014-7186, and CVE-2014-7187 from being exploited and is available at:

http://ftp.gnu.org/gnu/bash/bash-2.05b-patches/bash205b-010
http://ftp.gnu.org/gnu/bash/bash-3.0-patches/bash30-019
http://ftp.gnu.org/gnu/bash/bash-3.1-patches/bash31-020
http://ftp.gnu.org/gnu/bash/bash-3.2-patches/bash32-054
http://ftp.gnu.org/gnu/bash/bash-4.0-patches/bash40-041
http://ftp.gnu.org/gnu/bash/bash-4.1-patches/bash41-014
http://ftp.gnu.org/gnu/bash/bash-4.2-patches/bash42-050
http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027

[Editor's note: Additional patches are available for CVE-2014-7186 and CVE-2014-7187 (bash43-028 et al), CVE-2014-6277 (bash43-029), and CVE-2014-6278 (bash43-030). However, for systems that have already applied bash43-027, these additional patches (bash43-028 and later) are not security relevant, as bash43-027 prevents exploitation of these flaws.]

Vendor URL:  www.gnu.org/software/bash/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 24 2014 (Red Hat Issues Fix) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Red Hat has issued a fix for CVE-2014-6271 for Red Hat Enterprise Linux 4, 5, 5.6, 5.9, 6, 6.2, 6.4, and 7.
Sep 24 2014 (Ubuntu Issues Fix) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Ubuntu has issued a fix for CVE-2014-6271 for 10.04 LTS, 12.04 LTS, and 14.04 LTS.
Sep 26 2014 (F5 Issues Fix for F5 BIG-IP) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
F5 has issued a fix for F5 BIG-IP.
Sep 26 2014 (Ubuntu Issues Fix) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Ubuntu has issued a fix for CVE-2014-7169 for Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS.
Sep 26 2014 (Red Hat Issues Fix) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Red Hat has issued a fix for CVE-2014-7169 for Red Hat Enterprise Linux 5, 6, and 7.
Sep 26 2014 (Cisco Issues Advisory for Cisco ASA CX) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Cisco has issued an advisory for Cisco ASA CX.
Sep 26 2014 (Cisco Issues Advisory for Cisco Application Control Engine) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Cisco has issued an advisory for Cisco Application Control Engine.
Sep 26 2014 (Cisco Issues Advisory for Cisco Wide Area Application Services) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Cisco has issued an advisory for Cisco Wide Area Application Services.
Sep 26 2014 (Cisco Issues Advisory for Cisco Identity Services Engine) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Cisco has issued an advisory for Cisco Identity Services Engine.
Sep 26 2014 (Cisco Issues Advisory for Cisco Intrusion Prevention System Solutions) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Cisco has issued an advisory for Cisco Intrusion Prevention System Solutions.
Sep 26 2014 (Cisco Issues Advisory for Cisco Secure Access Control Server) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Cisco has issued an advisory for Cisco Secure Access Control Server (ACS).
Sep 26 2014 (Cisco Issues Advisory for Cisco ASR 1000 and 5000 Series) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Cisco has issued an advisory for Cisco ASR 1000 and 5000 Series Routers.
Sep 26 2014 (Cisco Issues Advisory for Cisco MDS) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Cisco has issued an advisory for Cisco MDS.
Sep 26 2014 (Cisco Issues Advisory for Cisco Nexus) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Cisco has issued an advisory for Cisco Nexus 3000/5000, 4000, 5000/6000, 7000, and 9000.
Sep 26 2014 (Cisco Issues Advisory for Cisco Unified Computing System) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Cisco has issued an advisory for Cisco Unified Computing System (UCS).
Sep 26 2014 (Cisco Issues Advisory for Cisco Unified Communications Manager) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Cisco has issued an advisory for Cisco Unified Communications Manager and Unified Communications Manager Session Management Edition (SME).
Sep 26 2014 (Cisco Issues Advisory for Cisco TelePresence Products) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Cisco has issued an advisory for several Cisco TelePresence products.
Sep 26 2014 (Cisco Issues Advisory for Cisco Wireless LAN Controller) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Cisco has issued an advisory for Cisco Wireless LAN Controller.
Sep 26 2014 (Juniper Issues Fix for Junos Space) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Juniper has issued a fix for Juniper Junos Space.
Sep 26 2014 (Debian Issues Fix) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Debian has issued a fix for CVE-2014-6271.
Sep 26 2014 (Red Hat Issues Fix) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Red Hat has issued a fix for CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187 for Red Hat Enterprise Linux 4, 5.6, 5.9, 6.2, and 6.4.
Sep 26 2014 (Debian Issues Fix) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Debian has issued a fix for CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187.
Sep 26 2014 (Red Hat Issues Fix) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Red Hat has issued a fix for CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187 for Shift_JIS for Red Hat Enterprise Linux 5 and 6.
Sep 27 2014 (Oracle Issues Fix for Solaris) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Oracle has issued a fix for Solaris 8, 9, 10, and 11.
Sep 27 2014 (IBM Issues Fix for IBM AIX) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
IBM has issued a fix for IBM AIX 5.3, 6.1, and 7.1.
Sep 27 2014 (Ubuntu Issues Fix) GNU bash Environment Variable Processing Flaw Lets Users Execute Arbitrary Code
Ubuntu has issued a fix for CVE-2014-7186 and CVE-2014-7187 for Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS.
Sep 28 2014 (Check Point Issues Fix for Check Point IPSO) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Check Point has issued a fix for Check Point IPSO 6.2.
Sep 28 2014 (Blue Coat Issues Advisory for Blue Coat Reporter) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Blue Coat has issued an advisory for Blue Coat Reporter.
Sep 28 2014 (Blue Coat Issues Fix for Blue Coat Director) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Blue Coat has issued a fix for Blue Coat Director.
Sep 28 2014 (HP Issues Fix for HP NonStop Server) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
HP has issued a fix for HP NonStop Server.
Sep 29 2014 (Apple Issues Fix for OS X) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Apple has issued a fix for CVE-2014-6271 and CVE-2014-7169 for OS X.
Sep 30 2014 (HP Issues Fix for HP NonStop CLIM) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
HP has issued a fix for HP NonStop CLIM.
Sep 30 2014 (HP Issues Fix for HP NonStop Virtual TapeServer) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
HP has issued a fix for CVE-2014-6271, CVE-2014-6278, CVE-2014-7169, and CVE-2014-7186 for HP NonStop Virtual TapeServer (VTS).
Oct 1 2014 (Cisco Issues Advisory for Cisco WebEx Meetings Server) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Cisco has issued an advisory for CVE-2014-6271 and CVE-2014-7169 for Cisco WebEx Meetings Server.
Oct 1 2014 (VMware Issues Fix for VMware ESX) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
VMware has issued a fix for VMware ESX 4.0 and 4.1.
Oct 1 2014 (VMware Issues Fix for VMware vCenter) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
VMware has issued a fix for some VMware vCenter products.
Oct 1 2014 (VMware Issues Fix for vCloud) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
VMware has issued a fix for VMware vCloud products.
Oct 1 2014 (VMware Issues Fix for VMware Horizon Workspace) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
VMware has issued a fix for CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187 for VMware Horizon Workspace 1.x and 2.x.
Oct 1 2014 (VMware Issues Fix for VMware vSphere) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
VMware has issued a fix for VMware vSphere products.
Oct 1 2014 (Cisco Issues Advisory for Cisco Digital Media Products) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Cisco has issued an advisory for CVE-2014-6271 and CVE-2014-7169 for Cisco Digital Media products.
Oct 1 2014 (Cisco Issues Advisory for Cisco NAC Guest Server) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Cisco has issued an advisory for CVE-2014-6271 and CVE-2014-7169 for Cisco NAC Guest Server.
Oct 1 2014 (Cisco Issues Advisory for Cisco Media Experience Engine) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Cisco has issued an advisory for CVE-2014-6271 and CVE-2014-7169 for Cisco Media Experience Engines (MXE).
Oct 1 2014 (Cisco Issues Advisory for Cisco Prime Data Center Network Manager) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Cisco has issued an advisory for CVE-2014-6271 and CVE-2014-7169 for Cisco Prime Data Center Network Manager.
Oct 1 2014 (Cisco Issues Advisory for Cisco Prime Security Manager) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Cisco has issued an advisory for CVE-2014-6271 and CVE-2014-7169 for Cisco Prime Security Manager.
Oct 1 2014 (Cisco Issues Advisory for Cisco Show and Share) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Cisco has issued an advisory for CVE-2014-6271 and CVE-2014-7169 for Cisco Show and Share (SnS).
Oct 1 2014 (Cisco Issues Advisory for Cisco Prime Data Center Network Manager) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Cisco has issued an advisory for CVE-2014-6271 and CVE-2014-7169 for Cisco Prime Data Center Network Manager.
Oct 1 2014 (Cisco Issues Advisory for Cisco Emergency Responder) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Cisco has issued an advisory for CVE-2014-6271 and CVE-2014-7169 for Cisco Emergency Responder.
Oct 2 2014 (Cisco Issues Advisory for Cisco IronPort) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Cisco has issued an advisory for CVE-2014-6271 and CVE-2014-7169 for Cisco IronPort.
Oct 2 2014 (Red Hat Issues Fix for RHEV) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Red Hat has issued a fix for CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187 for Red Hat Enterprise Virtualization.
Oct 3 2014 (Cisco Issues Advisory for Cisco IOS-XE) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Cisco has issued an advisory for CVE-2014-6271 and CVE-2014-7169 for Cisco IOS-XE.
Oct 3 2014 (Oracle Issues Fix for Oracle VM) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Oracle has issued a fix for CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 for Oracle VM.
Oct 3 2014 (Novell Issues Fix for Novell ZENworks Configuration Management) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Novell has issued a fix for ZENworks Configuration Management.
Oct 3 2014 (Novell Issues Fix for Novell GroupWise) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Novell has issued a fix for Novell GroupWise.
Oct 6 2014 (IBM Issues Fix for IBM Hardware Management Console) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
IBM has issued a fix for IBM Hardware Management Console.
Oct 9 2014 (McAfee Issues Fix for McAfee Email and Web Security) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
McAfee has issued a fix for McAfee Email and Web Security.
Oct 9 2014 (McAfee Issues Fix for McAfee Email Gateway) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
McAfee has issued a fix for McAfee Email Gateway.
Oct 9 2014 (McAfee Issues Fix for McAfee Firewall Enterprise Control Center) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
McAfee has issued a fix for McAfee Firewall Enterprise Control Center.
Oct 9 2014 (McAfee Issues Fix for McAfee Web Gateway) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
McAfee has issued a fix for McAfee Web Gateway.
Oct 9 2014 (McAfee Issues Fix for McAfee Network Data Loss Prevention) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
McAfee has issued a fix for McAfee Network Data Loss Prevention.
Oct 9 2014 (McAfee Issues Advisory for McAfee Asset Manager) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
McAfee has issued an advisory for McAfee Asset Manager.
Oct 9 2014 (McAfee Issues Advisory for McAfee SaaS) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
McAfee has issued an advisory for McAfee SaaS.
Oct 10 2014 (Splunk Issues Fix for Splunk Products) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Splunk has issued a fix for CVE-2014-6271 and CVE-2014-7169 for several Splunk products.
Oct 10 2014 (HP Issues Advisory for HP NonStop Development Environment for Eclipse) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
HP has issued an advisory for HP NonStop Development Environment for Eclipse (NSDEE).
Oct 20 2014 (HP Issues Fix for HP Integrity Server) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
HP has issued a fix for HP Integrity Server.
Oct 20 2014 (HP Issues Fix for HP StoreOnce Backup Systems are) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
HP has issued a fix for HP StoreOnce Backup Systems.
Oct 22 2014 (Blue Coat Issues Fix for PacketShaper S-Series) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Blue Coat has issued a fix for PacketShaper S-Series.
Oct 29 2014 (Citrix Issues Fix for Citrix XenServer) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Citrix has issued a fix for Citrix XenServer.
Oct 29 2014 (Citrix Issues Fix for Citrix License Server VPX) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Citrix has issued a fix for Citrix License Server VPX.
Oct 29 2014 (Citrix Issues Advisory for Citrix XenClient Enterprise) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Citrix has issued an advisory for Citrix XenClient Enterprise.
Jan 22 2015 (HP Issues Fix for HP Systems Insight Manager for Windows) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
HP has issued a fix for HP Systems Insight Manager for Windows.
Jun 2 2015 (Juniper Issues Fix for Juniper SA/SSL VPN) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Juniper has issued a fix for Juniper SA/SSL VPN.
Jun 2 2015 (Juniper Issues Fix for Juniper NSM) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Juniper has issued a fix for Juniper NSM.
Jun 2 2015 (Juniper Issues Fix for Juniper IDP) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Juniper has issued a fix for Juniper IDP.
Jun 2 2015 (Juniper Issues Fix for Juniper SRC) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Juniper has issued a fix for Juniper SRC.
Oct 1 2015 (Apple Issues Fix for Apple OS X) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
Apple has issued a fix for Apple OS X.
Apr 8 2017 (IBM Issues Fix for IBM Flex System Manager) GNU bash Environment Variable Processing Flaws Let Users Execute Arbitrary Code
IBM has issued a fix for IBM Flex System Manager.



 Source Message Contents

Subject:  Re: [oss-security] CVE-2014-6271: remote code execution through bash

On Wed, Sep 24, 2014 at 04:05:51PM +0200, Florian Weimer wrote:
> Stephane Chazelas discovered a vulnerability in bash, related to how
> environment variables are processed: trailing code in function
> definitions was executed, independent of the variable name.
> 
> In many common configurations, this vulnerability is exploitable over
> the network.
> 
> Chet Ramey, the GNU bash upstream maintainer, will soon release
> official upstream patches.

More detail is already out:

https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html

Florian posted a Debian security advisory on this ([DSA 3032-1] bash
security update) to the debian-security-announce list, but somehow it is
not yet seen at:

https://www.debian.org/security/
https://lists.debian.org/debian-security-announce/2014/

(I guess it will be very soon.)

I've just confirmed that the issue can be exploited via OpenSSH setting
SSH_ORIGINAL_COMMAND:

$ ssh -o 'rsaauthentication yes' 0 '() { ignored; }; /usr/bin/id' 
uid=500(sandbox) gid=500(sandbox) groups=500(sandbox)
Received disconnect from 127.0.0.1: Command terminated on signal 11.

This is with command="set" in .ssh/authorized_keys for the key being
used.  (Without the "; /usr/bin/id" portion, the command prints the
environment variables, including SSH_ORIGINAL_COMMAND being the function
with just "ignored" in its body.)  As we can see, the command runs, and
moreover in this case bash happened to segfault after having run "id".

I see no good workaround.  Starting the forced command with "unset
SSH_ORIGINAL_COMMAND &&" does not help - we'd need to unset the variable
before starting bash, not from bash.

TERM is another attack vector, but IIRC sshd does not set TERM when
no-pty is used.  So, speaking of SSH forced commands, it appears to be
only SSH_ORIGINAL_COMMAND that we have no good workaround for.

Indeed, there are many other setups where the problem is exploitable,
not just SSH forced commands.

Alexander
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC