-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Olav ten Bosch Index : S-96-48 Distribution : World Page : 1 Classification: External Version: 2 Subject : Vulnerability in "bash" Date : 29-aug-96 =============================================================================== By courtesy of IBM's Internet Emergency Response Service (IBM-ERS) we received information on a vulnerability in the GNU Project's Bourne Again SHell ("bash") CERT-NL recommends to install the new version of bash and to apply the (updated) patch given in the second part of this advisory. Be careful!, this advisory consists of two parts: ERS-SVA-E01-1996:004.1 and ERS-SVA-E01-1996:004.2, which is an update to ERS-SVA-E01-1996:004.1 ============================================================================== EMERGENCY RESPONSE SERVICE SECURITY VULNERABILITY ALERT 21 August 1996 13:00 GMT Number: ERS-SVA-E01-1996:004.1 =============================================================================== VULNERABILITY SUMMARY VULNERABILITY: A variable declaration error in "bash" allows the character with value 255 decimal to be used as a command separator. PLATFORMS: Bash 1.14.6 and earlier versions. SOLUTION: Apply the patch provided below. THREAT: When used in environments where users provide strings to be used as commands or arguments to commands, "bash" can be tricked into executing arbitrary commands. =============================================================================== DETAILED INFORMATION I. Description A. Introduction The GNU Project's Bourne Again SHell ("bash") is a drop-in replacement for the UNIX Bourne shell (/bin/sh). It offers the same syntax as the standard shell, but also includes additional functionality such as job control, command line editing, and history. Although "bash" can be compiled and installed on almost any UNIX platform, its most prevalent use is on "free" versions of UNIX such as Linux, where it has been installed as "/bin/sh" (the default shell for most uses). The "bash" source code is freely available from many sites on the Internet. B. Vulnerability Details There is a variable declaration error in the "yy_string_get()" function in the "parser.y" module of the "bash" source code. This function is responsible for parsing the user-provided command line into separate tokens (commands, special characters, arguments, etc.). The error involves the variable "string," which has been declared to be of type "char *." The "string" variable is used to traverse the character string containing the command line to be parsed. As characters are retrieved from this pointer, they are stored in a variable of type "int." On systems/compilers where the "char" type defaults to "signed char", this vaule will be sign-extended when it is assigned to the "int" variable. For character code 255 decimal (-1 in two's complement form), this sign extension results in the value (-1) being assigned to the integer. However, (-1) is used in other parts of the parser to indicate the end of a command. Thus, the character code 255 decimal (377 octal) will serve as an unintended command separator for commands given to "bash" via the "-c" option. For example, bash -c 'ls\377who' (where "\377" represents the single character with value 255 decimal) will execute two commands, "ls" and "who." II. Impact This unexpected command separator can be dangerous, especially on systems such as Linux where "bash" has been installed as "/bin/sh," when a program executes a command with a string provided by a user as an argument using the "system()" or "popen()" functions (or by calling "/bin/sh -c string" directly). This is especially true for the CGI programming interface in World Wide Web servers, many of which do not strip out characters with value 255 decimal. If a user sending data to the server can specify the character code 255 in a string that is passed to a shell, and that shell is "bash," the user can execute any arbitrary command with the user-id and permissions of the user running the server (frequently "root"). The "bash" built-in commands "eval," "source," and "fc" are also potentially vulnerable to this problem. III. Solutions A. How to alleviate the problem This problem can be alleviated by changing the declaration of the "string" variable in the "yy_string_get()" function from "char *" to "unsigned char *." B. Official fix from the "bash" maintainers The "bash" maintainers have told us they plan to fix this problem in Version 2.0 of "bash," but this will not be released for at least a few more months. C. Unofficial fix until the official version is released Until the "bash" maintainers release Version 2.0, this problem can be fixed by applying the patch below to the "bash" source code, recompiling the program, and installing the new version. The patch below is for Version 1.14.6 of "bash." Source code for this version can be obtained from ftp://prep.ai.mit.edu/pub/gnu/bash-1.14.6.tar.gz as well as many other sites around the Internet. - ----------------------------------- cut here ---------------------------------- *** parse.y.old Thu Nov 2 15:00:51 1995 - ---- parse.y Tue Aug 20 09:16:48 1996 *************** *** 904,910 **** static int yy_string_get () { ! register char *string; register int c; string = bash_input.location.string; - ---- 904,910 ---- static int yy_string_get () { ! register unsigned char *string; register int c; string = bash_input.location.string; - ----------------------------------- cut here ---------------------------------- To apply this patch, save the text between the two "--- cut here ---" lines to a file, change directories to the "bash" source directory, and issue the command patch < filename If you do not have the "patch" program, you can obtain it from ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz or you can apply the patch by hand. After applying the patch, recompile and reinstall the "bash" program by following the directions in the "INSTALL" file, included as part of the "bash" distribution. This patch is provided "AS IS" without warranty of any kind, including, without limitation, any implied warranties of merchantibility or fitness for a particular purpose. This advisory does not create or imply any support obligations or any other liability on the part of IBM or its subsidiaries. IV. Acknowledgements IBM-ERS would like to thank the IBM Global Security Analysis Laboratory at the IBM T. J. Watson Research Center for their discovery of this vulnerability, bringing it to our attention, providing the patch to fix it, and assistance in developing this alert. UNIX is a technology trademark of X/Open Company, Ltd. =============================================================================== ============================================================================== EMERGENCY RESPONSE SERVICE SECURITY VULNERABILITY ALERT 28 August 1996 18:00 GMT Number: ERS-SVA-E01-1996:004.2 =============================================================================== UPDATE TO ERS-SVA-E01-1996:004.1 This Security Vulnerability Alert provides updated information about the "bash" vulnerability described in ERS-SVA-E01-1996:004.1, which was released on 21 August 1996. As you will recall, the original advisory described a variable declaration problem in the function "yy_string_get()" in the file "parse.y." This problem causes the parser to treat the character with decimal value 255 as a command separator. When a user is allowed to provide strings to be executed by a shell, and that shell is "bash," this problem could allow the user to execute arbitrary commands. The advisory included a patch for the "bash" source code to alleviate this problem. I. New version of "bash" released On 27 August 1996, Version 1.14.7 of "bash" was released. This version fixes the problem reported in ERS-SVA-E01-1996:004.1. You can obtain this new version from: ftp://slc2.ins.cwru.edu/pub/dist/bash-1.14.7.tar.gz (It will also be available from the usual GNU archives in a few days.) II. Updated patch for second potential problem The patch provided in the original advisory applies to the "yy_string_get()" function; application of the patch will alleviate this problem with shells that are not interactive (i.e., those shells that receive their input via the "-c" argument). However, IBM-ERS has now received information that a similar problem exists with the "yy_readline_get()" function, also in the file "parse.y," which is used to read commands in interactive shells (ones that print a prompt and read from the keyboard, a shell script, or a pipe). It is not clear that this problem produces any exploitable vulnerabilities in the "bash" program, however, you may wish to address the problem for completeness' sake. This problem can be alleviated by applying the patch below to the "bash" source code, then recompiling the program, and installing the new version. The patch below is for Version 1.14.7 of "bash." Source code for this version can be obtained from the site listed above, as well as many other sites around the Internet. - ------------------------------------ cut here ------------------------------- - --- *** parse.y.old Mon Aug 26 11:15:55 1996 - ----- parse.y Wed Aug 28 08:49:15 1996 *************** *** 801,807 **** #if defined (READLINE) char *current_readline_prompt = (char *)NULL; ! char *current_readline_line = (char *)NULL; int current_readline_line_index = 0; static int - ----- 801,807 ---- #if defined (READLINE) char *current_readline_prompt = (char *)NULL; ! unsigned char *current_readline_line = (unsigned char *)NULL; int current_readline_line_index = 0; static int - ------------------------------------ cut here ------------------------------- - --- To apply this patch, save the text between the two "--- cut here ---" lines to a file, change directories to the "bash" source directory, and issue the command patch < filename If you do not have the "patch" program, you can obtain it from ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz or you can apply the patch by hand. After applying the patch, recompile and reinstall the "bash" program by following the directions in the "INSTALL" file, included as part of the "bash" distribution. THIS PATCH IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTIBILITY OR FITNESS FOR A PARTICULAR PURPOSE. THIS ADVISORY DOES NOT CREATE OR IMPLY ANY SUPPORT OBLIGATIONS OR ANY OTHER LIABILITY ON THE PART OF IBM OR ITS SUBSIDIARIES. III. Acknowledgements IBM-ERS would like to thank Jens Schweikhardt of the DFN Network Operations Center for his discovery of this problem, and for providing the original patch. IBM-ERS would like to thank DFN-CERT for relaying the information to us. ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMia/9mL2fnkJN/jpAQE6aQQAw/PZ3u2KkSjUMqAo6xuAz94C9H4Ry7Si r+9dmfs7LBzo8r3gv0NiZuZN4L+GK4vhMDZEMm2odYPioyyMkTsXKCryV4RRFhiS Lvk4wI2CP6Jr3xuzJim+RLZ9jmePtDKUSSR/5Lf9vuBLfm0JjwqjUUaJ8kf5FzJO 6/x3A2gV2FU= =34Y+ -----END PGP SIGNATURE-----