From route@infonexus.com Thu Aug 22 09:08:39 1996 Return-Path: route Received: (from route@localhost) by onyx.infonexus.com (8.6.12/8.6.9) id JAA16324 for root; Thu, 22 Aug 1996 09:08:39 -0700 From: infinity Message-Id: <199608221608.JAA16324@onyx.infonexus.com> Subject: BoS: Mycroftish description of bash hole. (fwd) To: root@infonexus.com (thought) Date: Thu, 22 Aug 1996 09:08:37 -0700 (PDT) X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Content-Length: 13945 Status: O Matthew Aldous's thoughts were: >From best-of-security-request@suburbia.net Thu Aug 22 03:19:38 1996 Resent-Date: Thu, 22 Aug 1996 19:10:29 +1000 From: "Matthew Aldous" Message-Id: <9608221626.ZM5530@discovery.mhri.edu.au> Date: Thu, 22 Aug 1996 16:26:56 -0400 X-Files: The Truth Is Out There X-Disclaimer: Comments contained do not necessarily represent those of my employer X-Copyright: Portions of this message may be subject to copyright. (C) 1996 Matthew Aldous X-Warning: Comments contained may be devoid of fact or truth. X-Url: http://www.mhri.edu.au X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail) To: meditation@gnu.ai.mit.edu Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: proff@suburbia.net Resent-Message-ID: <"LiUCO2.0.6m.3G27o"@suburbia> Resent-From: best-of-security@suburbia.net X-Mailing-List: archive/latest/246 X-Loop: best-of-security@suburbia.net Precedence: list Resent-Sender: best-of-security-request@suburbia.net Subject: BoS: Mycroftish description of bash hole. Whilst I know you might not care for security problems on meditation, I just wanted to splode over the description of *why* this problem exists. (If you read section B, it's very mycroftish.) ------------------------------------------------------------------------------ register char *string; vs. register unsigned char *string; ------------------------------------------------------------------------------ Matt -----BEGIN PGP SIGNED MESSAGE----- AUSCERT has received the following Alert from the IBM ERS team concerning a vulnerability in the GNU "bash" shell. It is passed on for your information. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. - -- Begin Included Advisory -- - --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT-- - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- ======= ============ ====== ====== ======= ============== ======= ======= === === ==== ====== ====== === =========== ======= ======= === =========== === ======= === === === ==== === ===== === ======= ============== ===== === ===== ======= ============ ===== = ===== EMERGENCY RESPONSE SERVICE SECURITY VULNERABILITY ALERT 21 August 1996 13:00 GMT Number: ERS-SVA-E01-1996:004.1 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: A variable declaration error in "bash" allows the character with value 255 decimal to be used as a command separator. PLATFORMS: Bash 1.14.6 and earlier versions. SOLUTION: Apply the patch provided below. THREAT: When used in environments where users provide strings to be used as commands or arguments to commands, "bash" can be tricked into executing arbitrary commands. =============================================================================== DETAILED INFORMATION I. Description A. Introduction The GNU Project's Bourne Again SHell ("bash") is a drop-in replacement for the UNIX Bourne shell (/bin/sh). It offers the same syntax as the standard shell, but also includes additional functionality such as job control, command line editing, and history. Although "bash" can be compiled and installed on almost any UNIX platform, its most prevalent use is on "free" versions of UNIX such as Linux, where it has been installed as "/bin/sh" (the default shell for most uses). The "bash" source code is freely available from many sites on the Internet. B. Vulnerability Details There is a variable declaration error in the "yy_string_get()" function in the "parser.y" module of the "bash" source code. This function is responsible for parsing the user-provided command line into separate tokens (commands, special characters, arguments, etc.). The error involves the variable "string," which has been declared to be of type "char *." The "string" variable is used to traverse the character string containing the command line to be parsed. As characters are retrieved from this pointer, they are stored in a variable of type "int." On systems/compilers where the "char" type defaults to "signed char", this vaule will be sign-extended when it is assigned to the "int" variable. For character code 255 decimal (-1 in two's complement form), this sign extension results in the value (-1) being assigned to the integer. However, (-1) is used in other parts of the parser to indicate the end of a command. Thus, the character code 255 decimal (377 octal) will serve as an unintended command separator for commands given to "bash" via the "-c" option. For example, bash -c 'ls\377who' (where "\377" represents the single character with value 255 decimal) will execute two commands, "ls" and "who." II. Impact This unexpected command separator can be dangerous, especially on systems such as Linux where "bash" has been installed as "/bin/sh," when a program executes a command with a string provided by a user as an argument using the "system()" or "popen()" functions (or by calling "/bin/sh -c string" directly). This is especially true for the CGI programming interface in World Wide Web servers, many of which do not strip out characters with value 255 decimal. If a user sending data to the server can specify the character code 255 in a string that is passed to a shell, and that shell is "bash," the user can execute any arbitrary command with the user-id and permissions of the user running the server (frequently "root"). The "bash" built-in commands "eval," "source," and "fc" are also potentially vulnerable to this problem. III. Solutions A. How to alleviate the problem This problem can be alleviated by changing the declaration of the "string" variable in the "yy_string_get()" function from "char *" to "unsigned char *." B. Official fix from the "bash" maintainers The "bash" maintainers have told us they plan to fix this problem in Version 2.0 of "bash," but this will not be released for at least a few more months. C. Unofficial fix until the official version is released Until the "bash" maintainers release Version 2.0, this problem can be fixed by applying the patch below to the "bash" source code, recompiling the program, and installing the new version. The patch below is for Version 1.14.6 of "bash." Source code for this version can be obtained from ftp://prep.ai.mit.edu/pub/gnu/bash-1.14.6.tar.gz as well as many other sites around the Internet. - ---------------------------------- cut here ---------------------------------- *** parse.y.old Thu Nov 2 15:00:51 1995 - --- parse.y Tue Aug 20 09:16:48 1996 *************** *** 904,910 **** static int yy_string_get () { ! register char *string; register int c; string = bash_input.location.string; - --- 904,910 ---- static int yy_string_get () { ! register unsigned char *string; register int c; string = bash_input.location.string; - ---------------------------------- cut here ---------------------------------- To apply this patch, save the text between the two "--- cut here ---" lines to a file, change directories to the "bash" source directory, and issue the command patch < filename If you do not have the "patch" program, you can obtain it from ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz or you can apply the patch by hand. After applying the patch, recompile and reinstall the "bash" program by following the directions in the "INSTALL" file, included as part of the "bash" distribution. This patch is provided "AS IS" without warranty of any kind, including, without limitation, any implied warranties of merchantibility or fitness for a particular purpose. This advisory does not create or imply any support obligations or any other liability on the part of IBM or its subsidiaries. IV. Acknowledgements IBM-ERS would like to thank the IBM Global Security Analysis Laboratory at the IBM T. J. Watson Research Center for their discovery of this vulnerability, bringing it to our attention, providing the patch to fix it, and assistance in developing this alert. UNIX is a technology trademark of X/Open Company, Ltd. =============================================================================== IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. By acting as an extension of your own internal security staff, IBM-ERS's team of Internet security experts helps you quickly detect and respond to attacks and exposures across your Internet connection(s). As a part of IBM's Business Recovery Services organization, the IBM Internet Emergency Response Service is a component of IBM's SecureWay(tm) line of security products and services. From hardware to software to consulting, SecureWay solutions can give you the assurance and expertise you need to protect your valuable business resources. To find out more about the IBM Internet Emergency Response Service, send an electronic mail message to ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4). IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The IBM-ERS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html. "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman. IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. Copyright 1996 International Business Machines Corporation. The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, Integrated Systems Solutions Corporation, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. The material in this security alert may be reproduced and distributed, without permission, in whole or in part, by other security incident response teams (both commercial and non-commercial), provided the above copyright is kept intact and due credit is given to IBM-ERS. This security alert may be reproduced and distributed, without permission, in its entirety only, by any person provided such reproduction and/or distribution is performed for non-commercial purposes and with the intent of increasing the awareness of the Internet community. - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- - --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT-- - -- End Included Advisory -- -----BEGIN PGP SIGNATURE----- Version: 2.6.2i Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key iQCVAwUBMhx7xCh9+71yA2DNAQGktAP8D5SBbZRrdn9vgVzjMO6ZtapWmudSAlm+ QUmYzGebC9AxndCkciZX94CqAfdg/aBJY6i6/Z0+R8DHy1ndABbQ4iGirzot9I2V TIFUktCvxdifRGR4wTKLHTwFaFdW+b0R2GDhDsF05qf5vKF27qwameQKV0Smo3tA QpK8oLlQO4s= =/JYb -----END PGP SIGNATURE----- -- ------------------------------------------------------------------------------- "System Administration: It's a dirty job, but someone said I had to do it." Matthew Aldous : 019339629 : mda@mhri.edu.au : Mental Health Research Institute ------------------------------------------------------------------------------- -- [ route@infonexus.com ] Editor, Phrack Magazine / Guild Corporation Chair the greatest trick the devil ever pulled was convincing the world he didn't exist