home *** CD-ROM | disk | FTP | other *** search
- Whilst I know you might not care for security problems on meditation,
- I just wanted to splode over the description of *why* this problem exists.
-
- (If you read section B, it's very mycroftish.)
-
-
- ------------------------------------------------------------------------------
- register char *string; vs. register unsigned char *string;
- ------------------------------------------------------------------------------
-
- Matt
- -----BEGIN PGP SIGNED MESSAGE-----
-
-
- AUSCERT has received the following Alert from the IBM ERS team concerning a
- vulnerability in the GNU "bash" shell. It is passed on for your information.
-
- If you believe that your system has been compromised, contact AUSCERT or your
- representative in FIRST (Forum of Incident Response and Security Teams).
-
- AUSCERT maintains an anonymous FTP service which is found on:
- ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
- Advisories, and other computer security information.
-
- AUSCERT also maintains a World Wide Web service which is found on:
- http://www.auscert.org.au/.
-
- Internet Email: auscert@auscert.org.au
- Facsimile: (07) 3365 4477
- Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
- AUSCERT personnel answer during Queensland business hours
- which are GMT+10:00 (AEST).
- On call after hours for emergencies.
-
- - -- Begin Included Advisory --
-
- - --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--
- - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL
- RELEASE---
-
- ======= ============ ====== ======
- ======= ============== ======= =======
- === === ==== ====== ======
- === =========== ======= =======
- === =========== === ======= ===
- === === ==== === ===== ===
- ======= ============== ===== === =====
- ======= ============ ===== = =====
-
- EMERGENCY RESPONSE SERVICE
- SECURITY VULNERABILITY ALERT
-
- 21 August 1996 13:00 GMT Number: ERS-SVA-E01-1996:004.1
- ===============================================================================
- VULNERABILITY SUMMARY
-
- VULNERABILITY: A variable declaration error in "bash" allows the character
- with value 255 decimal to be used as a command separator.
-
- PLATFORMS: Bash 1.14.6 and earlier versions.
-
- SOLUTION: Apply the patch provided below.
-
- THREAT: When used in environments where users provide strings to be
- used as commands or arguments to commands, "bash" can be
- tricked into executing arbitrary commands.
-
- ===============================================================================
- DETAILED INFORMATION
-
- I. Description
-
- A. Introduction
-
- The GNU Project's Bourne Again SHell ("bash") is a drop-in replacement
- for the UNIX Bourne shell (/bin/sh). It offers the same syntax as the
- standard shell, but also includes additional functionality such as job
- control, command line editing, and history.
-
- Although "bash" can be compiled and installed on almost any UNIX
- platform, its most prevalent use is on "free" versions of UNIX such as
- Linux, where it has been installed as "/bin/sh" (the default shell for
- most uses).
-
- The "bash" source code is freely available from many sites on the
- Internet.
-
- B. Vulnerability Details
-
- There is a variable declaration error in the "yy_string_get()" function
- in the "parser.y" module of the "bash" source code. This function is
- responsible for parsing the user-provided command line into separate
- tokens (commands, special characters, arguments, etc.). The error
- involves the variable "string," which has been declared to be of type
- "char *."
-
- The "string" variable is used to traverse the character string
- containing the command line to be parsed. As characters are retrieved
- from this pointer, they are stored in a variable of type "int." On
- systems/compilers where the "char" type defaults to "signed char", this
- vaule will be sign-extended when it is assigned to the "int" variable.
- For character code 255 decimal (-1 in two's complement form), this sign
- extension results in the value (-1) being assigned to the integer.
-
- However, (-1) is used in other parts of the parser to indicate the end
- of a command. Thus, the character code 255 decimal (377 octal) will
- serve as an unintended command separator for commands given to "bash"
- via the "-c" option. For example,
-
- bash -c 'ls\377who'
-
- (where "\377" represents the single character with value 255 decimal)
- will execute two commands, "ls" and "who."
-
- II. Impact
-
- This unexpected command separator can be dangerous, especially on systems such
- as Linux where "bash" has been installed as "/bin/sh," when a program executes
- a command with a string provided by a user as an argument using the "system()"
- or "popen()" functions (or by calling "/bin/sh -c string" directly).
-
- This is especially true for the CGI programming interface in World Wide Web
- servers, many of which do not strip out characters with value 255 decimal. If
- a user sending data to the server can specify the character code 255 in a
- string that is passed to a shell, and that shell is "bash," the user can
- execute any arbitrary command with the user-id and permissions of the user
- running the server (frequently "root").
-
- The "bash" built-in commands "eval," "source," and "fc" are also potentially
- vulnerable to this problem.
-
- III. Solutions
-
- A. How to alleviate the problem
-
- This problem can be alleviated by changing the declaration of the
- "string" variable in the "yy_string_get()" function from "char *" to
- "unsigned char *."
-
- B. Official fix from the "bash" maintainers
-
- The "bash" maintainers have told us they plan to fix this problem in
- Version 2.0 of "bash," but this will not be released for at least a few
- more months.
-
- C. Unofficial fix until the official version is released
-
- Until the "bash" maintainers release Version 2.0, this problem can be
- fixed by applying the patch below to the "bash" source code, recompiling
- the program, and installing the new version.
-
- The patch below is for Version 1.14.6 of "bash." Source code for this
- version can be obtained from
-
- ftp://prep.ai.mit.edu/pub/gnu/bash-1.14.6.tar.gz
-
- as well as many other sites around the Internet.
-
- - ---------------------------------- cut here
- ----------------------------------
- *** parse.y.old Thu Nov 2 15:00:51 1995
- - --- parse.y Tue Aug 20 09:16:48 1996
- ***************
- *** 904,910 ****
- static int
- yy_string_get ()
- {
- ! register char *string;
- register int c;
-
- string = bash_input.location.string;
- - --- 904,910 ----
- static int
- yy_string_get ()
- {
- ! register unsigned char *string;
- register int c;
-
- string = bash_input.location.string;
- - ---------------------------------- cut here
- ----------------------------------
-
- To apply this patch, save the text between the two "--- cut here ---"
- lines to a file, change directories to the "bash" source directory, and
- issue the command
-
- patch < filename
-
- If you do not have the "patch" program, you can obtain it from
-
- ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz
-
- or you can apply the patch by hand.
-
- After applying the patch, recompile and reinstall the "bash" program by
- following the directions in the "INSTALL" file, included as part of the
- "bash" distribution.
-
- This patch is provided "AS IS" without warranty of any kind, including,
- without limitation, any implied warranties of merchantibility or fitness
- for a particular purpose. This advisory does not create or imply any
- support obligations or any other liability on the part of IBM or its
- subsidiaries.
-
- IV. Acknowledgements
-
- IBM-ERS would like to thank the IBM Global Security Analysis Laboratory at the
- IBM T. J. Watson Research Center for their discovery of this vulnerability,
- bringing it to our attention, providing the patch to fix it, and assistance in
- developing this alert.
-
- UNIX is a technology trademark of X/Open Company, Ltd.
-
- ===============================================================================
-
- IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
- Internet security response service that includes computer security incident
- response and management, regular electronic verification of your Internet
- gateway(s), and security vulnerability alerts similar to this one that are
- tailored to your specific computing environment. By acting as an extension
- of your own internal security staff, IBM-ERS's team of Internet security
- experts helps you quickly detect and respond to attacks and exposures across
- your Internet connection(s).
-
- As a part of IBM's Business Recovery Services organization, the IBM Internet
- Emergency Response Service is a component of IBM's SecureWay(tm) line of
- security products and services. From hardware to software to consulting,
- SecureWay solutions can give you the assurance and expertise you need to
- protect your valuable business resources. To find out more about the IBM
- Internet Emergency Response Service, send an electronic mail message to
- ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).
-
- IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
- Visit the site for information about the service, copies of security alerts,
- team contact information, and other items.
-
- IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for
- security vulnerability alerts and other distributed information. The IBM-ERS
- PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.
- "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman.
-
- IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
- (FIRST), a global organization established to foster cooperation and response
- coordination among computer security teams worldwide.
-
- Copyright 1996 International Business Machines Corporation.
-
- The information in this document is provided as a service to customers of
- the IBM Emergency Response Service. Neither International Business Machines
- Corporation, Integrated Systems Solutions Corporation, nor any of their
- employees, makes any warranty, express or implied, or assumes any legal
- liability or responsibility for the accuracy, completeness, or usefulness of
- any information, apparatus, product, or process contained herein, or
- represents that its use would not infringe any privately owned rights.
- Reference herein to any specific commercial products, process, or service by
- trade name, trademark, manufacturer, or otherwise, does not necessarily
- constitute or imply its endorsement, recommendation or favoring by IBM or
- its subsidiaries. The views and opinions of authors expressed herein do not
- necessarily state or reflect those of IBM or its subsidiaries, and may not be
- used for advertising or product endorsement purposes.
-
- The material in this security alert may be reproduced and distributed,
- without permission, in whole or in part, by other security incident response
- teams (both commercial and non-commercial), provided the above copyright is
- kept intact and due credit is given to IBM-ERS.
-
- This security alert may be reproduced and distributed, without permission,
- in its entirety only, by any person provided such reproduction and/or
- distribution is performed for non-commercial purposes and with the intent of
- increasing the awareness of the Internet community.
-
- - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL
- RELEASE---
- - --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--
-
- - -- End Included Advisory --
-
- -----BEGIN PGP SIGNATURE-----
- Version: 2.6.2i
- Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key
-
- iQCVAwUBMhx7xCh9+71yA2DNAQGktAP8D5SBbZRrdn9vgVzjMO6ZtapWmudSAlm+
- QUmYzGebC9AxndCkciZX94CqAfdg/aBJY6i6/Z0+R8DHy1ndABbQ4iGirzot9I2V
- TIFUktCvxdifRGR4wTKLHTwFaFdW+b0R2GDhDsF05qf5vKF27qwameQKV0Smo3tA
- QpK8oLlQO4s=
- =/JYb
- -----END PGP SIGNATURE-----
-
-
- --
- -------------------------------------------------------------------------------
- "System Administration: It's a dirty job, but someone said I had to do it."
- Matthew Aldous : 019339629 : mda@mhri.edu.au : Mental Health Research Institute
- -------------------------------------------------------------------------------
-
-
- --
- [ route@infonexus.com ] Editor, Phrack Magazine / Guild Corporation Chair
-
- the greatest trick the devil ever pulled was
- convincing the world he didn't exist
-
-