Package: bash Version: 1.14.6-4 I've confirmed that this is a problem on i386.
>Resent-Date: Fri, 23 Aug 1996 05:42:28 +1000 >Date: Thu, 22 Aug 1996 15:35:51 -0400 (EDT) >From: Brian Mitchell <[EMAIL PROTECTED]> >X-Sender: [EMAIL PROTECTED] >To: Best of Security <[EMAIL PROTECTED]> >MIME-Version: 1.0 >Resent-From: [EMAIL PROTECTED] >X-Mailing-List: <[EMAIL PROTECTED]> archive/latest/248 >X-Loop: [EMAIL PROTECTED] >Precedence: list >Resent-Sender: [EMAIL PROTECTED] >Subject: BoS: BUG in /bin/bash (fwd) >Status: > > > >Brian Mitchell >[EMAIL PROTECTED] >"I never give them hell. I just tell the truth and they think it's hell" >- H. Truman > >--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT-- >---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL >RELEASE--- > > ======= ============ ====== ====== > ======= ============== ======= ======= > === === ==== ====== ====== > === =========== ======= ======= > === =========== === ======= === > === === ==== === ===== === > ======= ============== ===== === ===== > ======= ============ ===== = ===== > > EMERGENCY RESPONSE SERVICE > SECURITY VULNERABILITY ALERT > >21 August 1996 13:00 GMT Number: >ERS-SVA-E01-1996:004.1 >=============================================================================== > VULNERABILITY SUMMARY > >VULNERABILITY: A variable declaration error in "bash" allows the character > with value 255 decimal to be used as a command separator. > >PLATFORMS: Bash 1.14.6 and earlier versions. > >SOLUTION: Apply the patch provided below. > >THREAT: When used in environments where users provide strings to be > used as commands or arguments to commands, "bash" can be > tricked into executing arbitrary commands. > >=============================================================================== > DETAILED INFORMATION > >I. Description > > A. Introduction > > The GNU Project's Bourne Again SHell ("bash") is a drop-in replacement > for the UNIX Bourne shell (/bin/sh). It offers the same syntax as the > standard shell, but also includes additional functionality such as job > control, command line editing, and history. > > Although "bash" can be compiled and installed on almost any UNIX > platform, its most prevalent use is on "free" versions of UNIX such as > Linux, where it has been installed as "/bin/sh" (the default shell for > most uses). > > The "bash" source code is freely available from many sites on the > Internet. > > B. Vulnerability Details > > There is a variable declaration error in the "yy_string_get()" function > in the "parser.y" module of the "bash" source code. This function is > responsible for parsing the user-provided command line into separate > tokens (commands, special characters, arguments, etc.). The error > involves the variable "string," which has been declared to be of type > "char *." > > The "string" variable is used to traverse the character string > containing the command line to be parsed. As characters are retrieved > from this pointer, they are stored in a variable of type "int." On > systems/compilers where the "char" type defaults to "signed char", this > vaule will be sign-extended when it is assigned to the "int" variable. > For character code 255 decimal (-1 in two's complement form), this sign > extension results in the value (-1) being assigned to the integer. > > However, (-1) is used in other parts of the parser to indicate the end > of a command. Thus, the character code 255 decimal (377 octal) will > serve as an unintended command separator for commands given to "bash" > via the "-c" option. For example, > > bash -c 'ls\377who' > > (where "\377" represents the single character with value 255 decimal) > will execute two commands, "ls" and "who." > >II. Impact > >This unexpected command separator can be dangerous, especially on systems such >as Linux where "bash" has been installed as "/bin/sh," when a program executes >a command with a string provided by a user as an argument using the "system()" >or "popen()" functions (or by calling "/bin/sh -c string" directly).. > >This is especially true for the CGI programming interface in World Wide Web >servers, many of which do not strip out characters with value 255 decimal. If >a user sending data to the server can specify the character code 255 in a >string that is passed to a shell, and that shell is "bash," the user can >execute any arbitrary command with the user-id and permissions of the user >running the server (frequently "root"). > >The "bash" built-in commands "eval," "source," and "fc" are also potentially >vulnerable to this problem. > >III. Solutions > > A. How to alleviate the problem > > This problem can be alleviated by changing the declaration of the > "string" variable in the "yy_string_get()" function from "char *" to > "unsigned char *." > > B. Official fix from the "bash" maintainers > > The "bash" maintainers have told us they plan to fix this problem in > Version 2.0 of "bash," but this will not be released for at least a few > more months. > > C. Unofficial fix until the official version is released > > Until the "bash" maintainers release Version 2.0, this problem can be > fixed by applying the patch below to the "bash" source code, recompiling > the program, and installing the new version. > > The patch below is for Version 1.14.6 of "bash." Source code for this > version can be obtained from > > ftp://prep.ai.mit.edu/pub/gnu/bash-1.14.6.tar.gz > > as well as many other sites around the Internet. > >---------------------------------- cut here ---------------------------------- >*** parse.y.old Thu Nov 2 15:00:51 1995 >--- parse.y Tue Aug 20 09:16:48 1996 >*************** >*** 904,910 **** > static int > yy_string_get () > { >! register char *string; > register int c; > > string = bash_input.location.string; >--- 904,910 ---- > static int > yy_string_get () > { >! register unsigned char *string; > register int c; > > string = bash_input.location.string; >---------------------------------- cut here ---------------------------------- > > To apply this patch, save the text between the two "--- cut here ---" > lines to a file, change directories to the "bash" source directory, and > issue the command > > patch < filename > > If you do not have the "patch" program, you can obtain it from > > ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz > > or you can apply the patch by hand. > > After applying the patch, recompile and reinstall the "bash" program by > following the directions in the "INSTALL" file, included as part of the > "bash" distribution. > > This patch is provided "AS IS" without warranty of any kind, including, > without limitation, any implied warranties of merchantibility or fitness > for a particular purpose. This advisory does not create or imply any > support obligations or any other liability on the part of IBM or its > subsidiaries. > >IV. Acknowledgements > >IBM-ERS would like to thank the IBM Global Security Analysis Laboratory at the >IBM T. J. Watson Research Center for their discovery of this vulnerability, >bringing it to our attention, providing the patch to fix it, and assistance in >developing this alert. > >UNIX is a technology trademark of X/Open Company, Ltd. > >=============================================================================== > >IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based >Internet security response service that includes computer security incident >response and management, regular electronic verification of your Internet >gateway(s), and security vulnerability alerts similar to this one that are >tailored to your specific computing environment. By acting as an extension >of your own internal security staff, IBM-ERS's team of Internet security >experts helps you quickly detect and respond to attacks and exposures across >your Internet connection(s). > >As a part of IBM's Business Recovery Services organization, the IBM Internet >Emergency Response Service is a component of IBM's SecureWay(tm) line of >security products and services. From hardware to software to consulting, >SecureWay solutions can give you the assurance and expertise you need to >protect your valuable business resources. To find out more about the IBM >Internet Emergency Response Service, send an electronic mail message to >[EMAIL PROTECTED], or call 1-800-742-2493 (Prompt 4). > >IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/. >Visit the site for information about the service, copies of security alerts, >team contact information, and other items. > >IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature >mechanism for >security vulnerability alerts and other distributed information. The IBM-ERS >PGP* public key is available from >http://www.ers.ibm.com/team-info/pgpkey.html. >"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman. > >IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams >(FIRST), a global organization established to foster cooperation and response >coordination among computer security teams worldwide. > >Copyright 1996 International Business Machines Corporation. > >The information in this document is provided as a service to customers of >the IBM Emergency Response Service. Neither International Business Machines >Corporation, Integrated Systems Solutions Corporation, nor any of their >employees, makes any warranty, express or implied, or assumes any legal >liability or responsibility for the accuracy, completeness, or usefulness of >any information, apparatus, product, or process contained herein, or >represents that its use would not infringe any privately owned rights. >Reference herein to any specific commercial products, process, or service by >trade name, trademark, manufacturer, or otherwise, does not necessarily >constitute or imply its endorsement, recommendation or favoring by IBM or >its subsidiaries. The views and opinions of authors expressed herein do not >necessarily state or reflect those of IBM or its subsidiaries, and may not be >used for advertising or product endorsement purposes. > >The material in this security alert may be reproduced and distributed, >without permission, in whole or in part, by other security incident response >teams (both commercial and non-commercial), provided the above copyright is >kept intact and due credit is given to IBM-ERS. > >This security alert may be reproduced and distributed, without permission, >in its entirety only, by any person provided such reproduction and/or >distribution is performed for non-commercial purposes and with the intent of >increasing the awareness of the Internet community. > >---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL >RELEASE--- >--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT-- > -- Shields, CrossLink.