Re: Exploit 2 (CVE-2014-7169)

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Exploit 2 (CVE-2014-7169)

From:	Eric Blake
Subject:	Re: Exploit 2 (CVE-2014-7169)
Date:	Fri, 26 Sep 2014 14:31:01 -0600
User-agent:	Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.1.0

On 09/26/2014 10:27 AM, Brady Cummings wrote:
> Bash Maintainers,
> 
> Bash Version      :  GNU bash, version 4.3.25(2)-release (i686-pc-linux-gnu)
> OS Version        :  Fedora release 8
> Processor         :  Intel Atom D425 1.8GHz Single-core 
> RAM               :  1GB
> Compilation Flags :  Defaults (compiles fine)
> 
> Bug:  Exploit 2 (CVE-2014-7169) still exists 4.3.25(2) version when complied 
> in Fedora Core 8. 

Yes.  We know.  Chet will shortly be publishing 4.3.26:

http://www.openwall.com/lists/oss-security/2014/09/26/1

Meanwhile, I _highly_ recommend this additional patch:

http://www.openwall.com/lists/oss-security/2014/09/25/13

as it will also make you immune to CVE-2014-7186 and CVE-2014-7187, at
least from the perspective that arbitrary variable assignments can no
longer trigger those crashes (even if your bash in isolation is still
buggy, the point of the patch is to put exported variables in a
different namespace than normal shell variables, and also has the
benefit of making bash no longer violate POSIX with regards to exporting
normal variables with arbitrary contents).  I have not yet seen
one-liner formulas to probe whether your build of bash is vulnerable to
those two CVEs through environment variables, but as those parser bugs
are public, here goes my attempt:

$ env 'f=() { true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF
<<EOF <<EOF <<EOF <<EOF <<EOF' ~/bash/bash -c 'echo hi'
Segmentation fault (core dumped)

Although my formula only triggers a core dump, I suspect it's only a
matter of time before someone figures out how to convert that core dump
into a heap corruption that can be exploited into full arbitrary code
execution.

Contrast that to what happens for an immune build, such as the bash on
my recently-updated Fedora 20 box:

$ echo $BASH_VERSION
4.2.47(1)-release
bash: f: line 2: syntax error: unexpected end of file
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
...
bash: line 2: warning: here-document at line 2 delimited by end-of-file
(wanted `EOF')
bash: line 2: make_here_document: bad instruction type 33
bash: error importing function definition for `f'
hi

For more details on these two:
http://www.openwall.com/lists/oss-security/2014/09/25/32

> This message is for the named person's use only. You must not, directly or 
> indirectly, use,

Sorry, but this is a publicly archived list.  Your employer's legalese
blurb is unenforceable here.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

Exploit 2 (CVE-2014-7169), Brady Cummings, 2014/09/26
- Re: Exploit 2 (CVE-2014-7169), Eric Blake <=

Prev by Date: Re: Detecting invocation as /bin/sh ?
Next by Date: Re: CVE-2014-7169 vs CVE-2014-6271
Previous by thread: Exploit 2 (CVE-2014-7169)
Next by thread: Environment variable of a name which is often used
Index(es):
- Date
- Thread