oss-sec mailing list archives

Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability)

From: Florian Weimer <fweimer () redhat com>
Date: Fri, 26 Sep 2014 13:33:21 +0200

On 09/26/2014 10:54 AM, Mark R Bannister wrote:

Testing patch 25 and 26 from Chet, it looks to me like this is still an incomplete fix.  The third vulnerability I'd 
like to report is the feature itself in bash that allows functions to be passed in the environment, e.g.
$ env ls='() { echo vulnerable; }' bash -c ls

This allows an attacker to replace a command used by a bash script with arbitrary code.  It is then down to an attacker 
to find a suitable command that the bash script (or any child shells) might call without a path component.

I can't see this being a problem for Apache custom headers (the variable name is turned to uppercase and prefixed by 
HTTP_), nor sudo commands if env_reset is on (the default), but this continues to be a major vulnerability for setuid/setgid 
scripts (S_ISUID or S_ISGID) where the environment is preserved.

I agree this looks scary at first glance, but we discussed thispreviously, see for example:


  <http://www.openwall.com/lists/oss-security/2014/09/24/20>

Shell scripts derive part of their power and flexibility from theiropenness to the execution environment. You can tweak PATH, BASH_ENV (orENV for other Bourne-like shells), IFS, HOME, and many other variablesto change behavior. There are even more knobs to affect the behavior ofthe external commands almost all shell scripts call when they run.

This makes them not suitable at all for writing SUID programs or othercode that runs in untrusted environments. This is well-documented, andgiven the amount of shell scripts out there which rely on these aspectsof the UNIX shell design, it's not something we can change, particularlynot as part of a security update which system administrators are more orless forced to install.

In your specific example, you can achieve the same effect by settingPATH to a directory with a customer ls program, or by setting BASH_ENVto a file which contains a definition of a function called ls.

Overriding external programs with shell functions in such a way has tobe supported. Otherwise, scripts which define shell functions wouldbreak if the system administrator installs new software which happens toinclude a program of the same name of the shell function.


--
Florian Weimer / Red Hat Product Security

Current thread:

Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Mark R Bannister (Sep 26)
- <Possible follow-ups>
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Hanno Böck (Sep 26)
- Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Florian Weimer (Sep 26)
  - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) John Haxby (Sep 26)
    - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Bernhard Hermann (Sep 26)
    - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Christos Zoulas (Sep 26)
    - Re: Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Bryan Drewery (Sep 26)
    - Re: Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Bryan Drewery (Sep 28)
    - Re: Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Loganaden Velvindron (Sep 29)
    - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Giles Coochey (Sep 29)
    - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Michal Zalewski (Sep 29)
    - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Michal Zalewski (Sep 29)
    - Re: Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability) Osmond Sun (Sep 29)

(Thread continues...)