Re: bash "Shell Shock" vulnerability
From: "Joh Lindley" <joh.lindley@dcwest.net.au>
Is Apple's sh a bash? I thought they are using FreeBSD's userland (FreeBSD's sh is not affected [at least the tests are negative and there is no SA]) It would appear so. sh-3.2$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test
You are calling the bash [not /bin/sh] here. It shows that you have a bash installed. Regards Peter
Right you are. I overlooked that. However calling it correctly still gives the same sh-3.2$ env x='() { :;}; echo vulnerable' /bin/sh -c "echo this is a test" vulnerable this is a test However, as Douglas stated earlier, its limited to bash and sh in OSX the others seem to be ok. sh-3.2$ env x='() { :;}; echo vulnerable' /bin/csh -c "echo this is a test" this is a test On 26 Sep 2014, at 2:25 pm, Peter Ross <Petros.Listig@fdrive.com.au<mailto:Petros.Listig@fdrive.com.au>> wrote: From: "Joh Lindley" <joh.lindley@dcwest.net.au<mailto:joh.lindley@dcwest.net.au>> Is Apple's sh a bash? I thought they are using FreeBSD's userland (FreeBSD's sh is not affected [at least the tests are negative and there is no SA]) It would appear so. sh-3.2$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test You are calling the bash [not /bin/sh] here. It shows that you have a bash installed. Regards Peter _______________________________________________ luv-main mailing list luv-main@luv.asn.au<mailto:luv-main@luv.asn.au> http://lists.luv.asn.au/listinfo/luv-main
Slightly off-topic for the excellent technical discussion on this matter (go luv!), I've noticed the ABC's reporting on this has changed somewhat over the hours. The report earlier this morning said that the Free Software Foundation was unavailable for comment. http://www.abc.net.au/news/2014-09-25/new-software-bug-may-pose-bigger-threa... I took the opportunity to email them and point out the FSF had issued a substantial media release on the subject. I imagine others may have pointed this out this to them as well. Their afternoon news is somewhat improved. http://www.abc.net.au/news/2014-09-26/shellshock-bug-leaves-up-to-500-millio... -- Lev Lafayette, BA (Hons), GradCertTerAdEd (Murdoch), GradCertPM, MBA (Tech Mngmnt) (Chifley) mobile: 0432 255 208 RFC 1855 Netiquette Guidelines http://www.ietf.org/rfc/rfc1855.txt
Lev Lafayette wrote:
Their afternoon news is somewhat improved.
http://www.abc.net.au/news/2014-09-26/shellshock-bug-leaves-up-to-500-millio... Presumably referring to the accuracy, rather than the content ? Any news regarding mobile phones and routers etc ?
regards Rohan McLeod
Firstly, that test is for CVE-2014-6271. People should also be aware of CVE-2014-7169, which circumvents the first attempt at a fix. I found this explanation of how it works helpful: http://serverfault.com/a/631379/134053 Secondly, don't assume that debian's default symlink fo /bin/sh to /bin/dash means you are not vulnerable to holes in bash. There's a lot of scripts and system calls around which explicitly invoke `bash` rather than `sh`. Also if a user uses /bin/bash as their shell, then this bug gives a way to circumvent command restrictions on a given ssh key, as configured in ~/.ssh/authorised_keys. With FreeBSD systems, most would have bash installed, but like debian, /bin/sh is not bash. I'm not surprised that Macs have bash installed, but is /bin/sh equal to bash, or is it something else? Andrew McNaughton On 26/09/14 12:25, Peter Ross wrote:
From: "Joh Lindley" <joh.lindley@dcwest.net.au>
Is Apple's sh a bash? I thought they are using FreeBSD's userland (FreeBSD's sh is not affected [at least the tests are negative and there is no SA]) It would appear so. sh-3.2$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" vulnerable this is a test You are calling the bash [not /bin/sh] here.
It shows that you have a bash installed.
Regards Peter
_______________________________________________ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
On Fri, 26 Sep 2014, Andrew McN <andrew@mcnaughty.com> wrote:
Secondly, don't assume that debian's default symlink fo /bin/sh to /bin/dash means you are not vulnerable to holes in bash. There's a lot of scripts and system calls around which explicitly invoke `bash` rather than `sh`. Also if a user uses /bin/bash as their shell, then this bug gives a way to circumvent command restrictions on a given ssh key, as configured in ~/.ssh/authorised_keys.
#!/bin/bash echo ok I created a script named zz with the above contents. I ran the following test using bash 4.2+dfsg-0.1 from Debian/Wheezy (the unfixed version) and got an unexpected SEGV. # ORIG="() { :;} ; touch /tmp/ohno" ./zz /bin/bash: touch: No such file or directory Segmentation fault I also got a SEGV from remote when the shell for root was /bin/sh (dash). I verified that either bash as the root shell or as the shell for a script was sufficient for an exploit. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On Sat, Sep 27, 2014 at 12:55:30AM +1000, Russell Coker wrote:
#!/bin/bash echo ok
I created a script named zz with the above contents. I ran the following test using bash 4.2+dfsg-0.1 from Debian/Wheezy (the unfixed version) and got an unexpected SEGV.
# ORIG="() { :;} ; touch /tmp/ohno" ./zz /bin/bash: touch: No such file or directory Segmentation fault
The segfault goes away if you start the script "#!/bin/bash -p". Does that mean such scripts defeat the exploit? I always used to start my scripts that way to avoid inheriting functions from the environment; but I stopped exporting functions a while ago... Cheers ... Duncan.
Andrew - not the same binary... $ ls -i /bin/{,ba}sh 25299 /bin/bash 25300 /bin/sh $ sum !$ sum /bin/{,ba}sh 1049 1316 /bin/sh 22810 1315 /bin/bash On 26/09/14 11:59 PM, Andrew McN wrote:
I'm not surprised that Macs have bash installed, but is /bin/sh equal to bash, or is it something else?
Andrew McNaughton
and even different sizes $ ls -l !$ ls -l /bin/{,ba}sh -r-xr-xr-x 1 root wheel 1346544 15 Feb 2010 /bin/bash -r-xr-xr-x 1 root wheel 1346624 15 Feb 2010 /bin/sh but $ /bin/sh --version GNU bash, version 3.2.48(1)-release (x86_64-apple-darwin10.0) Copyright (C) 2007 Free Software Foundation, Inc. $ /bin/bash --version GNU bash, version 3.2.48(1)-release (x86_64-apple-darwin10.0) Copyright (C) 2007 Free Software Foundation, Inc. cheers, Douglas
participants (8)
-
Andrew McN -
Douglas Ray -
Duncan Roe -
Joh Lindley -
Lev Lafayette -
Peter Ross -
Rohan McLeod -
Russell Coker