[kwlug-disc] Vulnerability in bash

L.D. Paniak ldpaniak at fourpisolutions.com
Thu Sep 25 10:59:08 EDT 2014 

On 09/25/2014 10:52 AM, Chris Irwin wrote:
> On Thu, Sep 25, 2014 at 1:05 AM, B.S. <bs27975 at yahoo.ca
> <mailto:bs27975 at yahoo.ca>> wrote:
>
>
>     Presumably, at the least, a post-update logout/login will be necessary
>     on each machine, if not an entire reboot. (Care to trust that ALL
>     scripts run between turn on and user prompt use sh not bash? And that
>     sh hasn't been inadvertently equivalenced to bash?)
>
>     Given that most of us probably have a command line up (outside of any
>     GUI too!), and thus in memory. Updating will catch any new instances,
>     but not those you're already in the middle of.
>
>     I suppose this means rebooting all servers, too. <sigh?>
>
>
> Rebooting is not necessary. The exploit is only possible when invoking
> bash provided you can set it's environment (for example: By crafting a
> user-agent for a bash cgi script). Already running bash processes are
> not exploitable.
>
> cirwin at irwin03:~ $ env x='() { :;}; echo vulnerable' bash -c "echo
> this is a test"
> vulnerable
> this is a test
> cirwin at irwin03:~ $ sudo yum upgrade bash
> [...]
> cirwin at irwin03:~ $ env x='() { :;}; echo vulnerable' bash -c "echo
> this is a test"
> bash: warning: x: ignoring function definition attempt
> bash: error importing function definition for `x'
> this is a test
>
> It makes sense that you don't need to close the terminal. The
> vulnerability is environment poisoning before invoking bash -- the
> test in this thread invokes a new bash process, for example. So in
> theory, your running bash sessions were either already exploited, or
> effectively safe.
>
> Interestingly, needs-restarting reported no services or processes that
> should be restarted.
>
> cirwin at irwin03:~ $ sudo needs-restarting
> cirwin at irwin03:~ $
>
> Although `lsof` reports my four bash shells, and the ksmtuned service
> that are using obsolete bash shells (though again, they can't be
> exploited once running) . Not sure why needs-restarting misses that
> unless there is some criteria that wasn't met.
>
> cirwin at irwin03:~ $ sudo lsof | grep DEL | grep bash
> ksmtuned    707          root  DEL       REG              
> 0,33                 371203 /usr/bin/bash;54241eb1
> bash      28791        cirwin  DEL       REG              
> 0,33                 371203 /usr/bin/bash;54241eb1
> bash      28859        cirwin  DEL       REG              
> 0,33                 371203 /usr/bin/bash;54241eb1
> bash      29091        cirwin  DEL       REG              
> 0,33                 371203 /usr/bin/bash;54241eb1
> bash      29151        cirwin  DEL       REG              
> 0,33                 371203 /usr/bin/bash;54241eb1
>
>
> -- 
> Chris Irwin
> <chris at chrisirwin.ca <mailto:chris at chrisirwin.ca>>
>
Thanks Chris!  That really clears up questions I had on this issue.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140925/f991c129/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://kwlug.org/pipermail/kwlug-disc_kwlug.org/attachments/20140925/f991c129/attachment.sig>

More information about the kwlug-disc mailing list