Patch for bash?

Got problems with your B2 or B3? Share and get helped!
slapsave
Posts: 7
Joined: 25 Sep 2011, 16:36

Patch for bash?

Post by slapsave » 24 Sep 2014, 22:06

There is a security vulnerability in the bash shell, and I have verified that my B3 is vulnerable.

Will there be a new package available for the B3?

mmmark
Posts: 3
Joined: 24 Jun 2014, 08:50

Re: Patch for bash?

Post by mmmark » 25 Sep 2014, 07:43

+1 to this. Does this rely on Debian releasing a patch? I'm guessing it possibly does. I haven't seen any confirmation that Debian has a patch as yet...

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Patch for bash?

Post by Ubi » 25 Sep 2014, 08:28

There won't be in the near future
The thing is, unless you run a service on which people you don't know log into, this exploit does not concern you. The application is in the combination of a user being able to set an environment variable that is read without sanitation by another user. So basically CGI scripts could be vulnerable (if you dont run suexec...). The reason why this exploit has so much traction is that there isn;t a good workaround, and some public servers cannot run the risk.

I have yet to see a real world example of this exploit that results in local or remote privilege escalations. Please provide one, I'm really curious.

RandomUsername
Posts: 904
Joined: 09 Oct 2009, 18:49

Re: Patch for bash?

Post by RandomUsername » 25 Sep 2014, 11:16

B2/B3 runs CGI by default does it not? And is therefore potentially vulnerable by that method.

The one I'm most concerned about is the attack vector through DHCP. We've just been discussing at work about how that would work - DHCP client goes to DHCP server and says e.g. "what's my domain name", the server replies "your domain name is X and by the way, run this code: rm -rf /". DHCP client (which is running as root) executes the code and pow!, system compromised.

Hopefully, I can rely on my ISP not to have a compromised DHCP server, but...

[EDIT]Although, a quick scan of all the dhclient exit and enter hook scripts on the B3 appear to call /bin/sh on the shebang line which is dash and therefore not vulnerable.

slapsave
Posts: 7
Joined: 25 Sep 2011, 16:36

Re: Patch for bash?

Post by slapsave » 25 Sep 2014, 12:18

I like running the RoundCube webmail service on my B3. It uses bash and apache to serve pages.

I would gladly post a URL or two showing more detail on the exploit, but this forum editor won't allow me to submit them.

RandomUsername
Posts: 904
Joined: 09 Oct 2009, 18:49

Re: Patch for bash?

Post by RandomUsername » 25 Sep 2014, 13:01

You need to have a higher post count - its spam protection.

I hadn't considered roundcube might be vulnerable, I use that myself. Maybe one of the forum admins can lift the block on you posting URLs.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Patch for bash?

Post by Ubi » 25 Sep 2014, 14:53

I do not need more details on the exploit, its perfectly clear. I need an example of privilege escalation due to this exploit.

slapsave
Posts: 7
Joined: 25 Sep 2011, 16:36

Re: Patch for bash?

Post by slapsave » 25 Sep 2014, 15:32

A great explanation of the where the risk really starts (from a SlashDot post):

Suppose you have pwd.cgi, which prints the name of the current directory:

#!/bin/sh
echo -e "Content-type: text/plain\n\n"
pwd

Notice the script uses no input at all. It is potentially vulnerable. Here's why. Suppose you did want to validate your input. You'd look at the contents of $QUERY_STRING, right? You can find what the user entered in the QUERY_STRING environment variable because bash puts it there. That's the step where the problem lies - bash can EXECUTE the contents of the query string while setting the environment variable. This occurs before the user's script even begins to run.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Patch for bash?

Post by Ubi » 25 Sep 2014, 15:51

Yes, but it executes it at the privileges of the user that crafted the exploit

slapsave
Posts: 7
Joined: 25 Sep 2011, 16:36

Re: Patch for bash?

Post by slapsave » 25 Sep 2014, 16:07


slapsave
Posts: 7
Joined: 25 Sep 2011, 16:36

Re: Patch for bash?

Post by slapsave » 25 Sep 2014, 16:37

It would probably be good to scan your http logs for probes such as:

89.207.135.125 - - [24/Sep/2014:23:08:56 -0700] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 301 338 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Patch for bash?

Post by Ubi » 25 Sep 2014, 16:58

The exploit is typical for cgi scripts written in bash that interpret environment variables loosely. Although bash on the b3 is. Vulnerable, the web interface does not seem to be, as it does not use bash but mostly perl. Now there is a small possibility that there is a call to bash in those scripts to bash. The code is in github.

Gordon
Posts: 1322
Joined: 10 Aug 2011, 03:18

Re: Patch for bash?

Post by Gordon » 25 Sep 2014, 17:41

I agree with Ubi.

The exploit relies on you running some service that allows passing arbitrary information and use bash to pass execution over to some other program. The obvious suspects in this case are web based frontends to other services, e.g. webmail. And essentially if the exploit works, the web frontend is at fault because apparently it doesn't check the validity of the supplied arguments.

Also, and I stated this before, all my apache logs show that hackers never use domain names trying their exploits - only raw IP addresses. Therefore, all you need to do is change the default page to something meaningless (like apache's "It Works!" page) and let your actual content be served by a named vhost, be it your easyfind name or a domain you own yourself (or both), and the hacker will never know that your B3 is actually vulnerable.

Ubi
Posts: 1547
Joined: 17 Jul 2007, 09:01

Re: Patch for bash?

Post by Ubi » 26 Sep 2014, 04:41

So are you running a B3 server where people you do not know log into? I did not say the B3 is invulnerable, that exponentiation is yours only. I suggest you read more carefully first and then accuse me.

Reality is that the implementation that the machine is made for and most likely used for is very unlikely to be at risk. If you modify the B3 software, you should take responsibility for that change.

But instead of accusing me of wrongdoing, you could have spent that time to look at the sources and verify if there was a vulnerability. That would have been a more constructive addition to the thread.

RandomUsername
Posts: 904
Joined: 09 Oct 2009, 18:49

Re: Patch for bash?

Post by RandomUsername » 26 Sep 2014, 04:48

Would you stake your childrens' life that nothing on the B3 is remotely vulnerable because of this bug? If so, then good for you. I disabled CGI on mine when we had the last apache vulnerability, but are you sure the B3's implementation of CGI is not vulnerable? The B3 runs FTP by default, have you tested that? I don't have all the answers but I am also not saying I do either.

Post Reply