Re: GNU Bash profile code execution vulnerability enquiry

bug-bash

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: GNU Bash profile code execution vulnerability enquiry

From:	Eli Schwartz
Subject:	Re: GNU Bash profile code execution vulnerability enquiry
Date:	Wed, 28 Oct 2020 14:09:26 -0400

On 10/28/20 1:11 PM, Rachel Alderman wrote:
> Hi Bash Maintainers,
> 
> I've been made aware of a GNU Bash profile code execution vulnerability 
> https://exchange.xforce.ibmcloud.com/vulnerabilities/173116 reported last 
> December (2019-12-16)
> Description: GNU Bash could allow a remote attacker to execute arbitrary 
> code on the system, caused by improper access control by the Bash profile. 
> By persuading a victim to open the Bash terminal, an attacker could 
> exploit this vulnerability to execute arbitrary code on the system. 
> https://packetstormsecurity.com/files/155687
> CVSS Base Score: 8.8
> CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
> There is no CVE identifier associated with the vulnerability and I've been 
> unable to determine whether there is a remediation available. Is anyone 
> aware of this vulnerability and where it may be tracked in Gnu Bash?

I looked at your links. It seems this is a metasploit module of type
"payload".

Metasploit modules come in different types:
- exploit: use a vulnerability to break into a system
- payload: once the exploit is successful, inject shellcode into the
  system to do something malicious

This specific payload uses a benevolent feature of GNU bash, subverted
to evil purposes: the ability to run initialization commands when
opening the terminal. In this case, the initialization command is a
malware payload.

There is no code execution vulnerability here, bash is a program that
exists solely to performs code execution and you are supposed to treat
your bash profile as security-sensitive.

There is no way for an attacker to exploit this over the network. Bash
does not read a profile from the network, and the profile is not
accessible over the network. An attacker would need to first log in to
your system with full privileges in order to install the malware. The
malware would then run locally.

Of course, any malware might itself contain a service to communicate
over the network and receive updated attack instructions or open a
backdoor. But this does not mean Bash itself is vulnerable to network
attacks...

...

In short: The IBM X-Force Exchange entry is completely incorrect and
misunderstood the packetstorm link. The entry should be withdrawn entirely.

-- 
Eli Schwartz
Arch Linux Bug Wrangler and Trusted User

signature.asc
Description: OpenPGP digital signature

[Prev in Thread]

Current Thread

[Next in Thread]

GNU Bash profile code execution vulnerability enquiry, Rachel Alderman, 2020/10/28
- Re: GNU Bash profile code execution vulnerability enquiry, Greg Wooledge, 2020/10/28
- Re: GNU Bash profile code execution vulnerability enquiry, Eli Schwartz <=
- Re: GNU Bash profile code execution vulnerability enquiry, Chet Ramey, 2020/10/28
  - RE: GNU Bash profile code execution vulnerability enquiry, Rachel Alderman, 2020/10/29

Prev by Date: Re: GNU Bash profile code execution vulnerability enquiry
Next by Date: Re: GNU Bash profile code execution vulnerability enquiry
Previous by thread: Re: GNU Bash profile code execution vulnerability enquiry
Next by thread: Re: GNU Bash profile code execution vulnerability enquiry
Index(es):
- Date
- Thread