var-201409-0366

Vulnerability from variot

GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169. This vulnerability CVE-2014-6271 and CVE-2014-7169 Vulnerability due to insufficient fix for.Arbitrary code execution or denial of service by a third party through a crafted environment ( Uninitialized memory access and untrusted pointer read and write operations ) There is a possibility of being put into a state. QNAP Systems, Inc. Provided by QTS teeth, Turbo NAS for OS is. QTS for, GNU Bash Vulnerability (JVNVU#97219505) caused by OS Command injection vulnerability (CWE-78) Exists. This vulnerability information is based on the Information Security Early Warning Partnership. IPA Report to JPCERT/CC Coordinated with the developer. Reporter : University of Electro-Communications Wakisaka Yuki MrAny application permission OS The command may be executed. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.

This vulnerability allows users that have been granted access to a shell script to escalate privilege and execute unrestricted commands at the same security level as the Bash script. HP Integrity Superdome X and HP Converged System 900 for SAP HANA 5.50.12

BACKGROUND

CVSS 2.0 Base Metrics

Reference Base Vector Base Score CVE-2014-0224 (AV:N/AC:M/Au:N/C:P/I:P/A:P) 6.8 CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-6277 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-6278 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002

RESOLUTION

HP has released the following firmware updates to HP Integrity Superdome X and HP ConvergedSystem 900 for SAP HANA 5.50.12 to resolve these vulnerabilities:

The firmware upgrade for HP Integrity Superdome X and HP Converged System 900 for SAP HANA 5.73.0 is not directly available to customers. Customers who need to upgrade the firmware of their Superdome X or HP Converged System 900 for SAP HANA should contact HP Technical Support to obtain the firmware or plan to schedule an onsite visit with an HP Services field service professional.

NOTE: HP strongly recommends implementing the following security best practices to help reduce both known and future security vulnerability risks:

Isolate the HP Superdome X or HP Converged System 900 for SAP HANA's management network by keeping it separate from the data or production network, and not connecting it directly to the Internet without additional access authentication. Patch and maintain Lightweight Directory Access Protocol (LDAP) and web servers. Use virus scanners, intrusion detection/prevention systems (IDS/IPS), and vulnerability scanners regularly. ============================================================================ Ubuntu Security Notice USN-2380-1 October 09, 2014

bash vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 14.04 LTS
Ubuntu 12.04 LTS
Ubuntu 10.04 LTS

Summary:

Several security issues were fixed in Bash.

Software Description: - bash: GNU Bourne Again SHell

Details:

Michal Zalewski discovered that Bash incorrectly handled parsing certain function definitions. If an attacker were able to create an environment variable containing a function definition with a very specific name, these issues could possibly be used to bypass certain environment restrictions and execute arbitrary code. (CVE-2014-6277, CVE-2014-6278)

Please note that the previous Bash security update, USN-2364-1, includes a hardening measure that prevents these issues from being used in a Shellshock attack.

Update instructions:

The problem can be corrected by updating your system to the following package versions:

Ubuntu 14.04 LTS: bash 4.3-7ubuntu1.5

Ubuntu 12.04 LTS: bash 4.2-2ubuntu2.6

Ubuntu 10.04 LTS: bash 4.1-2ubuntu3.5

In general, a standard system update will make all the necessary changes.

References: http://www.ubuntu.com/usn/usn-2380-1 CVE-2014-6277, CVE-2014-6278

Package Information: https://launchpad.net/ubuntu/+source/bash/4.3-7ubuntu1.5 https://launchpad.net/ubuntu/+source/bash/4.2-2ubuntu2.6 https://launchpad.net/ubuntu/+source/bash/4.1-2ubuntu3.5 . This bulletin will be revised when the updates are available.

MITIGATION INFORMATION

HP recommends the following steps to reduce the risk of this vulnerability:

- The "ssh" or "telnet" features may be disabled by the admin user. All

MDS and Nexus 5K switches can function in this configuration. Access is available through the console port. Good morning! This is kinda long.

== Background ==

If you are not familiar with the original bash function export vulnerability (CVE-2014-6271), you may want to have a look at this article:

http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html

Well, long story short: the initial maintainer-provided patch for this issue [1] (released on September 24) is conclusively broken.

After nagging people to update for a while [5] [7], I wanted to share the technical details of two previously non-public issues which may be used to circumvent the original patch: CVE-2014-6277 and CVE-2014-6278.

Note that the issues discussed here are separate from the three probably less severe problems publicly disclosed earlier on: Tavis' limited-exploitability EOL bug (CVE-2014-7169) and two likely non-exploitable one-off issues found by Florian Weimer and Todd Sabin (CVE-2014-7186 and CVE-2014-7187).

== Required actions ==

If you have installed just the September 24 patch [1], or that and the follow-up September 26 patch for CVE-2014-7169 [2], you are likely still vulnerable to RCE and need to update ASAP, as discussed in [5].

You are safe if you have installed the unofficial function prefix patch from Florian Weimer [3], or its upstream variant released on September 28 [4]. The patch does not eliminate the problems, but shields the underlying parser from untrusted inputs under normal circumstances.

Note: over the past few days, Florian's patch has been picked up by major Linux distros (Red Hat, Debian, SUSE, etc), so there is a reasonable probability that you are in good shape. To test, execute this command from within a bash shell:

foo='() { echo not patched; }' bash -c foo

If you see "not patched", you probably want upgrade immediately. If you see "bash: foo: command not found", you're OK.

== Vulnerability details: CVE-2014-6277 (the more involved one) ==

The following function definition appearing in the value of any environmental variable passed to bash will lead to an attempt to dereference attacker-controlled pointers (provided that the targeted instance of bash is protected only with the original patches [1][2] and does not include Florian's fix):

() { x() { ; }; x() { ; } <<a; }

A more complete example leading to a deref of 0x41414141 would be:

HTTP_COOKIE="() { x() { ; }; x() { ; } <<perl -e '{print "A"x1000}'; }" bash -c :

bash[25662]: segfault at 41414141 ip 00190d96 sp bfbe6354 error 4 in libc-2.12.so[110000+191000]

(If you are seeing 0xdfdfdfdf, see note later on).

The issue is caused by an uninitialized here_doc_eof field in a REDIR struct originally created in make_redirection(). The initial segv will happen due to an attempt to read and then copy a string to a new buffer through a macro that expands to:

strcpy (xmalloc (1 + strlen (redirect->here_doc_eof)), (redirect->here_doc_eof))

This appears to be exploitable in at least one way: if here_doc_eof is chosen by the attacker to point in the vicinity of the current stack pointer, the apparent contents of the string - and therefore its length - may change between stack-based calls to xmalloc() and strcpy() as a natural consequence of an attempt to pass parameters and create local variables. Such a mid-macro switch will result in an out-of-bounds write to the newly-allocated memory.

A simple conceptual illustration of this attack vector would be:

-- snip! -- char* result; int len_alloced;

main(int argc, char** argv) {

/ The offset will be system- and compiler-specific /; char* ptr = &ptr - 9;

result = strcpy (malloc(100 + (len_alloced = strlen(ptr))), ptr);

printf("requested memory = %d\n" "copied text = %d\n", len_alloced + 1, strlen(result) + 1);

} -- snip! --

When compiled with the -O2 flag used for bash, on one test system, this produces:

requested memory = 2 copied text = 28

This can lead to heap corruption, with multiple writes possible per payload by simply increasing the number of malformed here-docs. The consequences should be fairly clear.

[ There is also a latter call to free() on here_doc_eof in dispose_cmd.c, but because of the simultaneous discovery of the much simpler bug '78 discussed in the next section, I have not spent a whole lot of time trying to figure out how to get to that path. ]

Perhaps notably, the ability to specify attacker-controlled addresses hinges on the state of --enable-bash-malloc and --enable-mem-scramble compile-time flags; if both are enabled, the memory returned by xmalloc() will be initialized to 0xdf, making the prospect of exploitation more speculative (essentially depending on whether the stack or any other memory region can be grown to overlap with 0xdfdfdfdf). That said, many Linux distributions disable one or both flags and are vulnerable out-of-the-box. It is also of note that relatively few distributions compile bash as PIE, so there is little consolation to be found in ASLR.

Similarly to the original vulnerability, this issue can be usually triggered remotely through web servers such as Apache (provided that they invoke CGI scripts or PHP / Python / Perl / C / Java servlets that rely on system() or popen()-type libcalls); through DHCP clients; and through some MUAs and MTAs. For a more detailed discussion of the exposed attack surface, refer to [6].

== Vulnerability details: CVE-2014-6278 (the "back to the '90s" one) ==

The following function definition appearing in the value of any environmental variable passed to bash 4.2 or 4.3 will lead to straightforward put-your-command-here RCE (again, provided that the targeted instance is not protected with Florian's patch):

() { ; } >[$($())] { echo hi mom; id; }

A complete example looks like this:

HTTP_COOKIE='() { ; } >[$($())] { echo hi mom; id; }' bash -c :

...or:

GET /some/script.cgi HTTP/1.0 User-Agent: () { ; } >[$($())] { id >/tmp/hi_mom; }

Note that the PoC does not work as-is in more ancient versions of bash, such as 2.x or 3.x; it might have been introduced with xparse_dolparen() starting with bash 4.2 patch level 12 few years back, but I have not investigated this in a lot of detail. Florian's patch is strongly recommended either way.

The attack surface through which this flaw may be triggered is roughly similar to that for CVE-2014-6277 and the original bash bug [6].

== Additional info ==

Both of these issues were identified in an automated fashion with american fuzzy lop:

https://code.google.com/p/american-fuzzy-lop

The out-of-the-box fuzzer was seeded with a minimal valid function definition ("() { foo() { foo; }; >bar; }") and allowed to run for a couple of hours on a single core.

In addition to the issues discussed above, the fuzzer also hit three of the four previously-reported CVEs.

I initially shared the findings privately with vendors, but because of the intense scrutiny that this codebase is under, the ease of reproducing these results with an open-source fuzzer, and the now-broad availability of upstream mitigations, there seems to be relatively little value in continued secrecy.

== References ==

[1] http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025 [2] http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026 [3] http://www.openwall.com/lists/oss-security/2014/09/25/13 [4] http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027 [5] http://lcamtuf.blogspot.com/2014/09/bash-bug-apply-unofficial-patch-now.html [6] http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html [7] http://www.pcworld.com/article/2688932/improved-patch-tackles-new-shellshock-attack-vectors.html

PS. There are no other bugs in bash.

--------- FOLLOW UP -----------

Date: Wed, 01 Oct 2014 07:32:57 -0700 From fulldisclosure-bounces@seclists.org Wed Oct 1 14:37:33 2014 From: Paul Vixie paul@redbarn.org To: Michal Zalewski lcamtuf@coredump.cx Cc: "fulldisclosure@seclists.org" fulldisclosure@seclists.org Subject: Re: [FD] the other bash RCEs (CVE-2014-6277 and CVE-2014-6278)

michal, thank you for your incredibly informative report here. i have a minor correction.

Michal Zalewski lcamtuf@coredump.cx Wednesday, October 01, 2014 7:21 AM ...

Note: over the past few days, Florian's patch has been picked up by major Linux distros (Red Hat, Debian, SUSE, etc), so there is a reasonable probability that you are in good shape. To test, execute this command from within a bash shell:

foo='() { echo not patched; }' bash -c foo

this command need not be executed from within bash. the problem occurs when bash is run by the command, and the shell that runs the command can be anything. for example, on a system where i have deliberately not patched bash, where sh is "ash" (almquist shell):

$ foo='() { echo not patched; }' bash -c foo not patched

here's me testing it from within tcsh:

% env foo='() { echo not patched; }' bash -c foo not patched % (setenv foo '() { echo not patched; }'; bash -c foo) not patched

this is a minor issue, but i've found in matters of security bug reports, tests, and discussions, that any minor matter can lead to deep misunderstanding.

thanks again for your excellent report, and your continuing work on this issue.

vixie

Open the PXE Configuration Utility on the HP Insight Control server deployment window Select Linux Managed from the Boot Menu options Click the Edit button. Clicking the Edit button displays the Edit Shared Menu Option window Uncheck the x86 option in Operating System and Processor Options and click OK. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04512907

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04512907 Version: 1

HPSBMU03217 rev.1 - HP Vertica Analytics Platform running Bash Shell, Remote Code Execution

NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.

Release Date: 2014-12-16 Last Updated: 2014-12-16

Potential Security Impact: Remote code execution

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Vertica.

References:

CVE-2014-6271 CVE-2014-6277 CVE-2014-6278 CVE-2014-7169 CVE-2014-7186 CVE-2014-7187 SSRT101827

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

HP Vertica AMI's and Virtual Machines prior to v7.1.1-0.

BACKGROUND

HP Vertica AMI's and Virtual Machines prior to v7.1.1-0 include a vulnerable version of the Bash shell.

CVSS 2.0 Base Metrics

Reference Base Vector Base Score CVE-2014-6271 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2104-6277 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2104-6278 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7169 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7186 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2014-7187 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002

RESOLUTION

We recommend installing Vertica v7.1.1-0 or subsequent, or manually installing a new version of Bash, such as Bash43-027.

HP has released the following updates to resolve this vulnerability for HP Vertica products.

Update to the latest VM image available at: https://my.vertica.com

For customers using the AMI version HP Vertica Analytics platform, please install the latest image available at Amazon.

HISTORY Version:1 (rev.1) - 16 December 2014 Initial release

Support: For further information, contact normal HP Services support channel.

Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key

Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG &jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems - verify your operating system selections are checked and save.

To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.

To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do

The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW

MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS

PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux

TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."

Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux)

iEYEARECAAYFAlSQq8cACgkQ4B86/C0qfVnhRQCeLX48R9EljRJ6FS+FOzGvUTZK tBsAnjZjWjJ7/Ua7ykToRbGpQQeKVZEW =Xllu -----END PGP SIGNATURE----- . Note: All versions of HP Thin Pro and HP Smart Zero Core operating systems prior to version 5.1.0 are affected by these vulnerabilities. Following is a complete list of affected operating systems and Hardware Platforms Affected.

Product Affected Product Versions Patch Status

HP ThinPro and HP Smart Zero Core (X86) v5.1.0 and above No update required; the Bash shell patch is incorporated into the base image.

Note: If you participated in the ThinPro 5.1.0 beta program then upgrade to the release version as soon as it becomes available.

HP ThinPro and HP Smart Zero Core (x86) v5.0.x A component update is currently available through Easy Update as: SecurityUpdate-Shellshock-2.0-all-5.0-x86.xar .