Bug#4253: [SECURITY] BoS: BUG in /bin/bash (fwd)
Package: bash
Version: 1.14.6-4
I've confirmed that this is a problem on i386.
>Resent-Date: Fri, 23 Aug 1996 05:42:28 +1000
>Date: Thu, 22 Aug 1996 15:35:51 -0400 (EDT)
>From: Brian Mitchell <brian@saturn.net>
>X-Sender: brian@tcpip
>To: Best of Security <best-of-security@suburbia.net>
>MIME-Version: 1.0
>Resent-From: best-of-security@suburbia.net
>X-Mailing-List: <best-of-security@suburbia.net> archive/latest/248
>X-Loop: best-of-security@suburbia.net
>Precedence: list
>Resent-Sender: best-of-security-request@suburbia.net
>Subject: BoS: BUG in /bin/bash (fwd)
>Status:
>
>
>
>Brian Mitchell
>brian@saturn.net
>"I never give them hell. I just tell the truth and they think it's hell"
>- H. Truman
>
>--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--
>---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL
>RELEASE---
>
> ======= ============ ====== ======
> ======= ============== ======= =======
> === === ==== ====== ======
> === =========== ======= =======
> === =========== === ======= ===
> === === ==== === ===== ===
> ======= ============== ===== === =====
> ======= ============ ===== = =====
>
> EMERGENCY RESPONSE SERVICE
> SECURITY VULNERABILITY ALERT
>
>21 August 1996 13:00 GMT Number:
>ERS-SVA-E01-1996:004.1
>===============================================================================
> VULNERABILITY SUMMARY
>
>VULNERABILITY: A variable declaration error in "bash" allows the character
> with value 255 decimal to be used as a command separator.
>
>PLATFORMS: Bash 1.14.6 and earlier versions.
>
>SOLUTION: Apply the patch provided below.
>
>THREAT: When used in environments where users provide strings to be
> used as commands or arguments to commands, "bash" can be
> tricked into executing arbitrary commands.
>
>===============================================================================
> DETAILED INFORMATION
>
>I. Description
>
> A. Introduction
>
> The GNU Project's Bourne Again SHell ("bash") is a drop-in replacement
> for the UNIX Bourne shell (/bin/sh). It offers the same syntax as the
> standard shell, but also includes additional functionality such as job
> control, command line editing, and history.
>
> Although "bash" can be compiled and installed on almost any UNIX
> platform, its most prevalent use is on "free" versions of UNIX such as
> Linux, where it has been installed as "/bin/sh" (the default shell for
> most uses).
>
> The "bash" source code is freely available from many sites on the
> Internet.
>
> B. Vulnerability Details
>
> There is a variable declaration error in the "yy_string_get()" function
> in the "parser.y" module of the "bash" source code. This function is
> responsible for parsing the user-provided command line into separate
> tokens (commands, special characters, arguments, etc.). The error
> involves the variable "string," which has been declared to be of type
> "char *."
>
> The "string" variable is used to traverse the character string
> containing the command line to be parsed. As characters are retrieved
> from this pointer, they are stored in a variable of type "int." On
> systems/compilers where the "char" type defaults to "signed char", this
> vaule will be sign-extended when it is assigned to the "int" variable.
> For character code 255 decimal (-1 in two's complement form), this sign
> extension results in the value (-1) being assigned to the integer.
>
> However, (-1) is used in other parts of the parser to indicate the end
> of a command. Thus, the character code 255 decimal (377 octal) will
> serve as an unintended command separator for commands given to "bash"
> via the "-c" option. For example,
>
> bash -c 'ls\377who'
>
> (where "\377" represents the single character with value 255 decimal)
> will execute two commands, "ls" and "who."
>
>II. Impact
>
>This unexpected command separator can be dangerous, especially on systems such
>as Linux where "bash" has been installed as "/bin/sh," when a program executes
>a command with a string provided by a user as an argument using the "system()"
>or "popen()" functions (or by calling "/bin/sh -c string" directly)..
>
>This is especially true for the CGI programming interface in World Wide Web
>servers, many of which do not strip out characters with value 255 decimal. If
>a user sending data to the server can specify the character code 255 in a
>string that is passed to a shell, and that shell is "bash," the user can
>execute any arbitrary command with the user-id and permissions of the user
>running the server (frequently "root").
>
>The "bash" built-in commands "eval," "source," and "fc" are also potentially
>vulnerable to this problem.
>
>III. Solutions
>
> A. How to alleviate the problem
>
> This problem can be alleviated by changing the declaration of the
> "string" variable in the "yy_string_get()" function from "char *" to
> "unsigned char *."
>
> B. Official fix from the "bash" maintainers
>
> The "bash" maintainers have told us they plan to fix this problem in
> Version 2.0 of "bash," but this will not be released for at least a few
> more months.
>
> C. Unofficial fix until the official version is released
>
> Until the "bash" maintainers release Version 2.0, this problem can be
> fixed by applying the patch below to the "bash" source code, recompiling
> the program, and installing the new version.
>
> The patch below is for Version 1.14.6 of "bash." Source code for this
> version can be obtained from
>
> ftp://prep.ai.mit.edu/pub/gnu/bash-1.14.6.tar.gz
>
> as well as many other sites around the Internet.
>
>---------------------------------- cut here ----------------------------------
>*** parse.y.old Thu Nov 2 15:00:51 1995
>--- parse.y Tue Aug 20 09:16:48 1996
>***************
>*** 904,910 ****
> static int
> yy_string_get ()
> {
>! register char *string;
> register int c;
>
> string = bash_input.location.string;
>--- 904,910 ----
> static int
> yy_string_get ()
> {
>! register unsigned char *string;
> register int c;
>
> string = bash_input.location.string;
>---------------------------------- cut here ----------------------------------
>
> To apply this patch, save the text between the two "--- cut here ---"
> lines to a file, change directories to the "bash" source directory, and
> issue the command
>
> patch < filename
>
> If you do not have the "patch" program, you can obtain it from
>
> ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz
>
> or you can apply the patch by hand.
>
> After applying the patch, recompile and reinstall the "bash" program by
> following the directions in the "INSTALL" file, included as part of the
> "bash" distribution.
>
> This patch is provided "AS IS" without warranty of any kind, including,
> without limitation, any implied warranties of merchantibility or fitness
> for a particular purpose. This advisory does not create or imply any
> support obligations or any other liability on the part of IBM or its
> subsidiaries.
>
>IV. Acknowledgements
>
>IBM-ERS would like to thank the IBM Global Security Analysis Laboratory at the
>IBM T. J. Watson Research Center for their discovery of this vulnerability,
>bringing it to our attention, providing the patch to fix it, and assistance in
>developing this alert.
>
>UNIX is a technology trademark of X/Open Company, Ltd.
>
>===============================================================================
>
>IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
>Internet security response service that includes computer security incident
>response and management, regular electronic verification of your Internet
>gateway(s), and security vulnerability alerts similar to this one that are
>tailored to your specific computing environment. By acting as an extension
>of your own internal security staff, IBM-ERS's team of Internet security
>experts helps you quickly detect and respond to attacks and exposures across
>your Internet connection(s).
>
>As a part of IBM's Business Recovery Services organization, the IBM Internet
>Emergency Response Service is a component of IBM's SecureWay(tm) line of
>security products and services. From hardware to software to consulting,
>SecureWay solutions can give you the assurance and expertise you need to
>protect your valuable business resources. To find out more about the IBM
>Internet Emergency Response Service, send an electronic mail message to
>ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).
>
>IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
>Visit the site for information about the service, copies of security alerts,
>team contact information, and other items.
>
>IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature
>mechanism for
>security vulnerability alerts and other distributed information. The IBM-ERS
>PGP* public key is available from
>http://www.ers.ibm.com/team-info/pgpkey.html.
>"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman.
>
>IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
>(FIRST), a global organization established to foster cooperation and response
>coordination among computer security teams worldwide.
>
>Copyright 1996 International Business Machines Corporation.
>
>The information in this document is provided as a service to customers of
>the IBM Emergency Response Service. Neither International Business Machines
>Corporation, Integrated Systems Solutions Corporation, nor any of their
>employees, makes any warranty, express or implied, or assumes any legal
>liability or responsibility for the accuracy, completeness, or usefulness of
>any information, apparatus, product, or process contained herein, or
>represents that its use would not infringe any privately owned rights.
>Reference herein to any specific commercial products, process, or service by
>trade name, trademark, manufacturer, or otherwise, does not necessarily
>constitute or imply its endorsement, recommendation or favoring by IBM or
>its subsidiaries. The views and opinions of authors expressed herein do not
>necessarily state or reflect those of IBM or its subsidiaries, and may not be
>used for advertising or product endorsement purposes.
>
>The material in this security alert may be reproduced and distributed,
>without permission, in whole or in part, by other security incident response
>teams (both commercial and non-commercial), provided the above copyright is
>kept intact and due credit is given to IBM-ERS.
>
>This security alert may be reproduced and distributed, without permission,
>in its entirety only, by any person provided such reproduction and/or
>distribution is performed for non-commercial purposes and with the intent of
>increasing the awareness of the Internet community.
>
>---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL
>RELEASE---
>--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--
>
--
Shields, CrossLink.
Reply to: