On 10/28/20 1:11 PM, Rachel Alderman wrote: > Hi Bash Maintainers, > > I've been made aware of a GNU Bash profile code execution vulnerability > https://exchange.xforce.ibmcloud.com/vulnerabilities/173116 reported last > December (2019-12-16) > Description: GNU Bash could allow a remote attacker to execute arbitrary > code on the system, caused by improper access control by the Bash profile. > By persuading a victim to open the Bash terminal, an attacker could > exploit this vulnerability to execute arbitrary code on the system. > https://packetstormsecurity.com/files/155687 > CVSS Base Score: 8.8 > CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) > There is no CVE identifier associated with the vulnerability and I've been > unable to determine whether there is a remediation available. Is anyone > aware of this vulnerability and where it may be tracked in Gnu Bash?
I looked at your links. It seems this is a metasploit module of type "payload". Metasploit modules come in different types: - exploit: use a vulnerability to break into a system - payload: once the exploit is successful, inject shellcode into the system to do something malicious This specific payload uses a benevolent feature of GNU bash, subverted to evil purposes: the ability to run initialization commands when opening the terminal. In this case, the initialization command is a malware payload. There is no code execution vulnerability here, bash is a program that exists solely to performs code execution and you are supposed to treat your bash profile as security-sensitive. There is no way for an attacker to exploit this over the network. Bash does not read a profile from the network, and the profile is not accessible over the network. An attacker would need to first log in to your system with full privileges in order to install the malware. The malware would then run locally. Of course, any malware might itself contain a service to communicate over the network and receive updated attack instructions or open a backdoor. But this does not mean Bash itself is vulnerable to network attacks... ... In short: The IBM X-Force Exchange entry is completely incorrect and misunderstood the packetstorm link. The entry should be withdrawn entirely. -- Eli Schwartz Arch Linux Bug Wrangler and Trusted User
signature.asc
Description: OpenPGP digital signature