Remote Exploit Vulnerability Found In Bash

[James C]

Remote Exploit Vulnerability Found In Bash

http://linux.slashdot.org/story/14/09/2 ... nd-in-bash

A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux, and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Another attack surface is OpenSSH through the use of AcceptEnv variables. Also through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.

[James C]

https://marc.info/?l=oss-security&m=141157106132018&w=2

Someone has posted large parts of the prenotification as a news
article, so in the interest of full disclosure, here is what we wrote
to the non-vendors (vendors also received patches):

Debian and other GNU/Linux vendors plan to disclose a critical,
remotely exploitable security vulnerability in bash this week, related
to the processing of environment variables. Stephane Chazelas
discovered it, and CVE-2014-6271 has been assigned to it.

The issue is currently under embargo (not public), and you receive
this message as a courtesy notification because we assume that you
have network-based filtering capabilities, so that you can work on
ways to protect a significant number of customers. However, you
should not yet distribute IPS/IDS signatures, publicly or to
customers.

At present, public disclosure is scheduled for Wednesday, 2014-09-24
14:00 UTC. We do not expect the schedule to change, but we may be
forced to revise it.

The technical details of the vulnerability are at the above link.

[mavrothal]

Bah has been already pached for all major distros and the source code.
Some more info here

[Sage]

Ba(s)h has been already pached for all major distros and the source code.

Not so sure about 'already'. Mint bash 4.3.1 arrived about two hours after the news item appeared this morning, which is good, but the vulnerability appears to have existed for a rather long time.

[prehistoric]

This convinces me that running browsers as special user "spot" is a good idea. I was already doing so. This user only has write access to directories /root/spot and /root/spot/download. Unless they have a way to escalate privileges, I doubt they could exploit this at my end.

The big problem lies at the server end, where there is considerable motivation to fix this quickly and avoid lawsuits for consequential damages.

Is Windows 7 more secure? After my latest battles with machines so badly infested they were unusable, I'd say nobody understands everything Windoze is doing much of the time. This includes Microsoft.

Dumb tricks malicious attackers had pulled: flip the hidden attribute on randomly chosen files to convince the user the disk was failing; remove the hot key for TrustedInstaller from the registry; corrupt the program in the hidden restore partition which checks certificates on downloaded or restored system components. For those not in the know, TrustedInstaller is the program which replaces corrupted system files when found by the system file checker. I didn't try to use a restore point because I simply assumed attackers had managed to insert malware in these, which has become common.

This was the first time I have seen a specific corruption of the hidden restore partition, which is not even visible or mounted in normal operation, to disable checking certificates. I caught on when I was warned that the supplier of CMD.EXE could not be recognized. That program was OK, it was the program which checks certificates that was bad. These were not random faults.

With millions of systems so thoroughly compromised how can you trust anything out on the Internet? If there is no hole in the software for your servers, are you sure about the machine your technical wizards used for remote access when you had a late-night emergency? They would be better off running Puppy from a closed DVD which cannot remember any results from previous attacks.