[kwlug-disc] Vulnerability in bash

Chris Irwin chris at chrisirwin.ca
Thu Sep 25 10:52:03 EDT 2014 

On Thu, Sep 25, 2014 at 1:05 AM, B.S. <bs27975 at yahoo.ca> wrote:

>
> Presumably, at the least, a post-update logout/login will be necessary
> on each machine, if not an entire reboot. (Care to trust that ALL
> scripts run between turn on and user prompt use sh not bash? And that
> sh hasn't been inadvertently equivalenced to bash?)
>
> Given that most of us probably have a command line up (outside of any
> GUI too!), and thus in memory. Updating will catch any new instances,
> but not those you're already in the middle of.
>
> I suppose this means rebooting all servers, too. <sigh?>
>

Rebooting is not necessary. The exploit is only possible when invoking bash
provided you can set it's environment (for example: By crafting a
user-agent for a bash cgi script). Already running bash processes are not
exploitable.

cirwin at irwin03:~ $ env x='() { :;}; echo vulnerable' bash -c "echo this is
a test"
vulnerable
this is a test
cirwin at irwin03:~ $ sudo yum upgrade bash
[...]
cirwin at irwin03:~ $ env x='() { :;}; echo vulnerable' bash -c "echo this is
a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

It makes sense that you don't need to close the terminal. The vulnerability
is environment poisoning before invoking bash -- the test in this thread
invokes a new bash process, for example. So in theory, your running bash
sessions were either already exploited, or effectively safe.

Interestingly, needs-restarting reported no services or processes that
should be restarted.

cirwin at irwin03:~ $ sudo needs-restarting
cirwin at irwin03:~ $

Although `lsof` reports my four bash shells, and the ksmtuned service that
are using obsolete bash shells (though again, they can't be exploited once
running) . Not sure why needs-restarting misses that unless there is some
criteria that wasn't met.

cirwin at irwin03:~ $ sudo lsof | grep DEL | grep bash
ksmtuned    707          root  DEL       REG
0,33                 371203 /usr/bin/bash;54241eb1
bash      28791        cirwin  DEL       REG
0,33                 371203 /usr/bin/bash;54241eb1
bash      28859        cirwin  DEL       REG
0,33                 371203 /usr/bin/bash;54241eb1
bash      29091        cirwin  DEL       REG
0,33                 371203 /usr/bin/bash;54241eb1
bash      29151        cirwin  DEL       REG
0,33                 371203 /usr/bin/bash;54241eb1


-- 
Chris Irwin
<chris at chrisirwin.ca>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140925/a5bdb525/attachment.htm>

More information about the kwlug-disc mailing list