oss-sec mailing list archives
binary-patching bash
From: Solar Designer <solar () openwall com>
Date: Mon, 29 Sep 2014 04:44:05 +0400
Hi, I've just tweeted some crazy stuff, and it is even crazier to talk about this on a mailing list focused on Open Source, but ... <solardiz> cp -ip bash{,~} && env - perl -pe 's/\((\) {\0)/\0\1/g' bash > bash~ && test `cmp -l bash{,~} | wc -l` = 1 && ln bash{,-} && mv -v bash{~,} <solardiz> Previous tweet disables function imports in bash due to strncmp(..., 4). Tested on some Linux & FreeBSD, from bash & csh. At your own risk. <solardiz> perl -pe 's/\(\) {\0/(){\0\0/g' followed by an "exactly one match" check may be safer e.g. for an Internet-wide scan^Wpatch. ;-) #shellshock <solardiz> bash 1.14.7 and bash 4.3 (and all inbetween?) use STREQN ("() {", string, 4) and define STREQN via strncmp(). Allows portable binary patch. The idea is that the length 4 STREQN() aka !strncmp() when invoked on a shorter constant string will require that the entire env var value be that string - that is, either empty (in my first tweet above) or a 3-char string (in my third tweet above). Neither case leaves any room for an attacker to provide arbitrary input to the parser via the former function imports feature. This dirty hack may be handy for patching otherwise unmaintained systems. The primary risk I see here is that some build of bash might include custom patches where this check had been changed to use something other than (an equivalent of) strncmp(). I am not aware of any such cases. Here's how to test that the feature is indeed disabled (or at least broken, although that is an insufficient test for security). Before the binary patch: $ testfunc() { echo test; } $ export -f testfunc $ bash -c testfunc test After the binary patch (first tweet): $ testfunc() { echo test; } $ export -f testfunc $ bash -c testfunc bash: testfunc: command not found Alexander
Current thread:
- binary-patching bash Solar Designer (Sep 28)
- Re: binary-patching bash Solar Designer (Sep 28)
- Re: binary-patching bash Solar Designer (Sep 29)