Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: bashhole.txt

Hole in BASH




From route@infonexus.com Thu Aug 22 09:08:39 1996
Return-Path: route
Received: (from route@localhost) by onyx.infonexus.com (8.6.12/8.6.9) id JAA16324 for root; Thu, 22 Aug 1996 09:08:39 -0700
From: infinity <route@infonexus.com>
Message-Id: <199608221608.JAA16324@onyx.infonexus.com>
Subject: BoS: Mycroftish description of bash hole. (fwd)
To: root@infonexus.com (thought)
Date: Thu, 22 Aug 1996 09:08:37 -0700 (PDT)
X-Mailer: ELM [version 2.4 PL24]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Content-Length: 13945     
Status: O

Matthew Aldous's thoughts were:
>From best-of-security-request@suburbia.net Thu Aug 22 03:19:38 1996
Resent-Date: Thu, 22 Aug 1996 19:10:29 +1000
From: "Matthew Aldous" <mda@discovery.mhri.edu.au>
Message-Id: <9608221626.ZM5530@discovery.mhri.edu.au>
Date: Thu, 22 Aug 1996 16:26:56 -0400
X-Files: The Truth Is Out There
X-Disclaimer: Comments contained do not necessarily represent those of my employer
X-Copyright: Portions of this message may be subject to copyright. (C) 1996 Matthew Aldous
X-Warning: Comments contained may be devoid of fact or truth.
X-Url: http://www.mhri.edu.au
X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail)
To: meditation@gnu.ai.mit.edu
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: proff@suburbia.net
Resent-Message-ID: <"LiUCO2.0.6m.3G27o"@suburbia>
Resent-From: best-of-security@suburbia.net
X-Mailing-List: <best-of-security@suburbia.net> archive/latest/246
X-Loop: best-of-security@suburbia.net
Precedence: list
Resent-Sender: best-of-security-request@suburbia.net
Subject: BoS: Mycroftish description of bash hole.

Whilst I know you might not care for security problems on meditation,
I just wanted to splode over the description of *why* this problem exists.

(If you read section B, it's very mycroftish.)


------------------------------------------------------------------------------
register char *string;         vs.      register unsigned char *string;
------------------------------------------------------------------------------

Matt
-----BEGIN PGP SIGNED MESSAGE-----


AUSCERT has received the following Alert from the IBM ERS team concerning a
vulnerability in the GNU "bash" shell.  It is passed on for your information.

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

- -- Begin Included Advisory --

- --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--
- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL
RELEASE---

                  =======  ============    ======       ======
                  =======  ==============  =======     =======
                    ===      ===     ====    ======   ======
                    ===      ===========     ======= =======
                    ===      ===========     === ======= ===
                    ===      ===     ====    ===  =====  ===
                  =======  ==============  =====   ===   =====
                  =======  ============    =====    =    =====

                           EMERGENCY RESPONSE SERVICE
			  SECURITY VULNERABILITY ALERT

21 August 1996 13:00 GMT                         Number: ERS-SVA-E01-1996:004.1
===============================================================================
                             VULNERABILITY  SUMMARY

VULNERABILITY:  A variable declaration error in "bash" allows the character
		with value 255 decimal to be used as a command separator.

PLATFORMS:	Bash 1.14.6 and earlier versions.

SOLUTION:	Apply the patch provided below.

THREAT:		When used in environments where users provide strings to be
		used as commands or arguments to commands, "bash" can be
		tricked into executing arbitrary commands.

===============================================================================
                              DETAILED INFORMATION

I. Description

   A. Introduction

      The GNU Project's Bourne Again SHell ("bash") is a drop-in replacement
      for the UNIX Bourne shell (/bin/sh).  It offers the same syntax as the
      standard shell, but also includes additional functionality such as job
      control, command line editing, and history.

      Although "bash" can be compiled and installed on almost any UNIX
      platform, its most prevalent use is on "free" versions of UNIX such as
      Linux, where it has been installed as "/bin/sh" (the default shell for
      most uses).

      The "bash" source code is freely available from many sites on the
      Internet.

   B. Vulnerability Details

      There is a variable declaration error in the "yy_string_get()" function
      in the "parser.y" module of the "bash" source code.  This function is
      responsible for parsing the user-provided command line into separate
      tokens (commands, special characters, arguments, etc.).  The error
      involves the variable "string," which has been declared to be of type
      "char *."

      The "string" variable is used to traverse the character string
      containing the command line to be parsed.  As characters are retrieved
      from this pointer, they are stored in a variable of type "int."  On
      systems/compilers where the "char" type defaults to "signed char", this
      vaule will be sign-extended when it is assigned to the "int" variable.
      For character code 255 decimal (-1 in two's complement form), this sign
      extension results in the value (-1) being assigned to the integer.

      However, (-1) is used in other parts of the parser to indicate the end
      of a command.  Thus, the character code 255 decimal (377 octal) will
      serve as an unintended command separator for commands given to "bash"
      via the "-c" option.  For example,

	bash -c 'ls\377who'

      (where "\377" represents the single character with value 255 decimal)
      will execute two commands, "ls" and "who."

II. Impact

This unexpected command separator can be dangerous, especially on systems such
as Linux where "bash" has been installed as "/bin/sh," when a program executes
a command with a string provided by a user as an argument using the "system()"
or "popen()" functions (or by calling "/bin/sh -c string" directly).

This is especially true for the CGI programming interface in World Wide Web
servers, many of which do not strip out characters with value 255 decimal.  If
a user sending data to the server can specify the character code 255 in a
string that is passed to a shell, and that shell is "bash," the user can
execute any arbitrary command with the user-id and permissions of the user
running the server (frequently "root").

The "bash" built-in commands "eval," "source," and "fc" are also potentially
vulnerable to this problem.

III. Solutions

   A. How to alleviate the problem

      This problem can be alleviated by changing the declaration of the
      "string" variable in the "yy_string_get()" function from "char *" to
      "unsigned char *."

   B. Official fix from the "bash" maintainers

      The "bash" maintainers have told us they plan to fix this problem in
      Version 2.0 of "bash," but this will not be released for at least a few
      more months.

   C. Unofficial fix until the official version is released

      Until the "bash" maintainers release Version 2.0, this problem can be
      fixed by applying the patch below to the "bash" source code, recompiling
      the program, and installing the new version.

      The patch below is for Version 1.14.6 of "bash."  Source code for this
      version can be obtained from

	 ftp://prep.ai.mit.edu/pub/gnu/bash-1.14.6.tar.gz

      as well as many other sites around the Internet.

- ---------------------------------- cut here
----------------------------------
*** parse.y.old Thu Nov  2 15:00:51 1995
- --- parse.y     Tue Aug 20 09:16:48 1996
***************
*** 904,910 ****
  static int
  yy_string_get ()
  {
!   register char *string;
    register int c;

    string = bash_input.location.string;
- --- 904,910 ----
  static int
  yy_string_get ()
  {
!   register unsigned char *string;
    register int c;

    string = bash_input.location.string;
- ---------------------------------- cut here
----------------------------------

      To apply this patch, save the text between the two "--- cut here ---"
      lines to a file, change directories to the "bash" source directory, and
      issue the command

	patch < filename

      If you do not have the "patch" program, you can obtain it from

	ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz

      or you can apply the patch by hand.

      After applying the patch, recompile and reinstall the "bash" program by
      following the directions in the "INSTALL" file, included as part of the
      "bash" distribution.

      This patch is provided "AS IS" without warranty of any kind, including,
      without limitation, any implied warranties of merchantibility or fitness
      for a particular purpose.  This advisory does not create or imply any
      support obligations or any other liability on the part of IBM or its
      subsidiaries.

IV. Acknowledgements

IBM-ERS would like to thank the IBM Global Security Analysis Laboratory at the
IBM T. J. Watson Research Center for their discovery of this vulnerability,
bringing it to our attention, providing the patch to fix it, and assistance in
developing this alert.

UNIX is a technology trademark of X/Open Company, Ltd.

===============================================================================

IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment.  By acting as an extension
of your own internal security staff, IBM-ERS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures across
your Internet connection(s).

As a part of IBM's Business Recovery Services organization, the IBM Internet
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services.  From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to
protect your valuable business resources.  To find out more about the IBM
Internet Emergency Response Service, send an electronic mail message to
ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).

IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security alerts,
team contact information, and other items.

IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for
security vulnerability alerts and other distributed information.  The IBM-ERS
PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman.

IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
(FIRST), a global organization established to foster cooperation and response
coordination among computer security teams worldwide.

Copyright 1996 International Business Machines Corporation.

The information in this document is provided as a service to customers of
the IBM Emergency Response Service.  Neither International Business Machines
Corporation, Integrated Systems Solutions Corporation, nor any of their
employees, makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of
any information, apparatus, product, or process contained herein, or
represents that its use would not infringe any privately owned rights.
Reference herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by IBM or
its subsidiaries.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of IBM or its subsidiaries, and may not be
used for advertising or product endorsement purposes.

The material in this security alert may be reproduced and distributed,
without permission, in whole or in part, by other security incident response
teams (both commercial and non-commercial), provided the above copyright is
kept intact and due credit is given to IBM-ERS.

This security alert may be reproduced and distributed, without permission,
in its entirety only, by any person provided such reproduction and/or
distribution is performed for non-commercial purposes and with the intent of
increasing the awareness of the Internet community.

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL
RELEASE---
- --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--

- -- End Included Advisory --

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key

iQCVAwUBMhx7xCh9+71yA2DNAQGktAP8D5SBbZRrdn9vgVzjMO6ZtapWmudSAlm+
QUmYzGebC9AxndCkciZX94CqAfdg/aBJY6i6/Z0+R8DHy1ndABbQ4iGirzot9I2V
TIFUktCvxdifRGR4wTKLHTwFaFdW+b0R2GDhDsF05qf5vKF27qwameQKV0Smo3tA
QpK8oLlQO4s=
=/JYb
-----END PGP SIGNATURE-----


-- 
-------------------------------------------------------------------------------
  "System Administration: It's a dirty job, but someone said I had to do it."
Matthew Aldous : 019339629 : mda@mhri.edu.au : Mental Health Research Institute
-------------------------------------------------------------------------------


-- 
[ route@infonexus.com ]  Editor, Phrack Magazine / Guild Corporation Chair

	       the greatest trick the devil ever pulled was
		   convincing the world he didn't exist



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH