H-01: Vulnerabilities in bash

PROBLEM:       Two vulnerabilities have been identified with GNU Project's 
               Bourne Again SHell (bash): (1) in yy_string_get() and (2) in 
               yy_readline_get(). 
PLATFORM:      Any UNIX platform or any "free" vwhere bash has been installed 
               as "/bin/sh". The problems affect ersions of UNIX such as 
               Linux, bash versions 1.14.6 and earlier. 
DAMAGE:        The user could execute any arbitrary command with the user-id 
               and permissions of the user running the server (frequently 
               root). 
SOLUTION:      Upgrade to bash 1.14.7 and apply the patch indicated below. 
VULNERABILITY  The bash shell is the default shell for most (if not all)   
ASSESSMENT:    Linux distributions, so most Linux systems are subject to 
               this attack. The nature of the vulnerability makes Web servers
               running CGI scripts susceptible to outside attack -- it is not 
               necessary to have a user account to exploit this vulnerability. 
               t is highly recommended that this vulnerability be addressed 
               on all Linux systems, particularly those with Web servers running
               CGI scripts.                                                                 


[ Start of CERT Advisory ]

=============================================================================
CERT(sm) Advisory CA-96.22
Original issue date: October 8, 1996
Last revised: --

Topic: Vulnerabilities in bash
-----------------------------------------------------------------------------
                The original technical content for this advisory
                was published by the IBM-ERS response team and
                is used here with their permission.

This advisory describes two problems with the GNU Project's Bourne Again
SHell (bash): one in yy_string_get() and one in yy_readline_get().

The vulnerability in yy_string_get() allows the character with value 255
decimal to be used as a command separator. When used in environments where
users provide strings to be used as commands or arguments to commands, bash
can be tricked into executing arbitrary commands.

It is not clear whether the problem with yy_readline_get() results in an
exploitable vulnerability, though you may want to address both problems for
completeness.

The problems affect bash versions 1.14.6 and earlier.

The CERT/CC team recommends that you upgrade to bash 1.14.7 as soon as
possible, as discussed in Section III.A below. Section III.B contains a
patch for 1.14.7, which we recommend using to address the yy_readline_get()
problem.

We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.

----------------------------------------------------------------------------

I. Description

   A. Introduction

      The GNU Project's Bourne Again SHell (bash) is a drop-in replacement
      for the UNIX Bourne shell (/bin/sh). It offers the same syntax as the
      standard shell, and it also includes additional functionality such as
      job control, command line editing, and history.

      Although bash can be compiled and installed on almost any UNIX
      platform, its most prevalent use is on "free" versions of UNIX such as
      Linux, where it has been installed as "/bin/sh" (the default shell for
      most uses).

      The bash source code is freely available from many sites on the
      Internet.

   B. Vulnerability Details

      1. Vulnerability in yy_string_get()

         There is a variable declaration error in the "yy_string_get()"
         function in the "parse.y" module of the "bash" source code. This
         function is responsible for parsing the user-provided command line
         into separate tokens (commands, special characters, arguments, etc.).
         The error involves the variable "string", which has been declared to
         be of type "char *".

         The "string" variable is used to traverse the character string
         containing the command line to be parsed. As characters are
         retrieved from this pointer, they are stored in a variable of type
         "int". On systems/compilers where the "char" type defaults to
         "signed char" this value will be sign-extended when it is assigned
         to the  "int" variable. For character code 255 decimal (-1 in two's
         complement form), this sign extension results in the value (-1)
         being assigned to the integer.

         However, (-1) is used in other parts of the parser to indicate the
         end of a command. Thus, the character code 255 decimal (377 octal)
         will serve as an unintended command separator for commands given to
         bash via the "-c" option. For example,

         bash -c 'ls\377who'

         (where "\377" represents the single character with value 255 decimal)
         will execute two commands, "ls" and "who".

      2. Possible vulnerability in yy_readline_get()

         A similar problem exists with the "yy_readline_get()" function, which
         is also in the file "parse.y" and which is used to read commands in
         interactive shells (ones that print a prompt and read from the
         keyboard, a shell script, or a pipe).

         It is not clear that this problem produces any exploitable
         vulnerabilities in the bash program; however, you may wish to
         address the problem for the sake of completeness.

II.  Impact

     This unexpected command separator can be dangerous, especially on systems
     such as Linux where bash has been installed as "/bin/sh," when a program
     executes a command with a string provided by a user as an argument using
     the "system()" or "popen()" functions (or by calling "/bin/sh -c string"
     directly).

     This is especially true for the CGI programming interface in World Wide
     Web servers, many of which do not strip out characters with value 255
     decimal. If a user sending data to the server can specify the character
     code 255 in a string that is passed to a shell, and that shell is bash,
     the user can execute any arbitrary command with the user-id and
     permissions of the user running the server (frequently "root").

     The bash built-in commands "eval," "source," and "fc" are also
     potentially vulnerable to this problem.

III. Solution

     A. Vulnerability in yy_string_get

        On 27 August 1996, Version 1.14.7 of bash was released. You can
        obtain this new version from:

        ftp://slc2.ins.cwru.edu/pub/dist/bash-1.14.7.tar.gz


     B. Vulnerability in yy_readline_get

        It is not clear that this problem produces any exploitable
        vulnerabilities in the "bash" program; however, you may wish to
        address the problem for the sake of completeness.

        This problem can be alleviated by applying the patch below to the
        bash source code, then recompiling the program, and installing the
        new version.

        The patch below is for Version 1.14.7 of bash. Source code for this
        version can be obtained from the site listed above.

---------------------------------- cut here ---------------------------------
*** parse.y.old Mon Aug 26 11:15:55 1996
- - - --- parse.y   Wed Aug 28 08:49:15 1996
***************
*** 801,807 ****

  #if defined (READLINE)
  char *current_readline_prompt = (char *)NULL;
! char *current_readline_line = (char *)NULL;
  int current_readline_line_index = 0;

  static int
- - - - --- 801,807 ----

  #if defined (READLINE)
  char *current_readline_prompt = (char *)NULL;
! unsigned char *current_readline_line = (unsigned char *)NULL;
  int current_readline_line_index = 0;

  static int
--------------------------------- cut here ----------------------------------

        To apply this patch, save the text between the two "--- cut here ---"
        lines to a file, change directories to the bash source directory,
        and issue the command

        patch < filename

        If you do not have the patch program, you can obtain it from

        ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz

        or you can apply the patch by hand.

        After applying the patch, recompile and reinstall the bash program by
        following the directions in the "INSTALL" file, included as part of
        the bash distribution.

----------------------------------------------------------------------------
The CERT Coordination Center thanks IBM-ERS for permission to reproduce the
technical content in their IBM Emergency Response Service Security
Vulnerability Alerts ERS-SVA-E01-1006:004.1 and ERS-SVA-E01-1006:004.2.
These alerts are copyrighted 1996 International Business Machines Corporation.
----------------------------------------------------------------------------
 
[ End of CERT Advisory ]

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@ciac.org
    World Wide Web:  http://www.ciac.org/
    Anonymous FTP:   ftp.ciac.org