breaking

Remote exploit vulnerability in bash CVE-2014-6271

danger

A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271. This affects Debian as well as other Linux distributions. If you have have Microsoft Services for UNIX you will need to patch ASAP.

Bash supports exporting shell variables as well as shell functions to other bash instances. This is accomplished through the process environment to a child process. 

From Debian:

Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment.  The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition.  For example, an environment variable setting of

 VAR=() { ignored; }; /bin/id

will execute /bin/id when the environment is imported into the bash process.  (The process is in a slightly undefined state at this point. The PATH variable may not have been set up yet, and bash could crash after executing /bin/id, but the damage has already happened at this point.)

The fact that an environment variable with an arbitrary name can be used as a carrier for a malicious function definition containing trailing commands makes this vulnerability particularly severe; it enables network-based exploitation.


The major attack vectors that have been identified in this case are HTTP requests and CGI scripts. Here is a sample 

If you have a username in your authorization header this could also be an attack vector.

Another attack surface is OpenSSH through the use of AcceptEnv variables. As well through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation. This is fire bad.

The race is on. Will you be able to patch before Metasploit has a working exploit? 

Ready…GO!

Support Information:

  1. Novel/SuSE
  2. Debian
  3. Ubuntu
  4. Mint
  5. Redhat/Fedora
  6. Mageia
  7. CentOS

Looking for a specific distribution? Check out DistroWatch.

 
(Image used under CC from spcbrass)

Join the discussion
Be the first to comment on this article. Our Commenting Policies