fix(en:Henrietta Lacks):Fix directory
[BK-2020-09.git] / en.wikipedia.org / Shellshock_(software_bug) / article.txt
1 {{short description|Security bug in the Unix Bash shell discovered in 2014}}
2 {{Redirect|Bash bug|the related bug reporting tool|Bash (Unix shell)#Bug reporting|the arcade skill game|Bashy Bug}}
3 {{lead too long|date=November 2016}}
4 {{Use dmy dates|date=April 2020}}
5
6 {{Infobox bug
7 | name = Shellshock
8 | image = [[Image:Shellshock-bug.svg|180px]]
9 | caption = A simple Shellshock logo, similar to the [[Heartbleed]] bug logo. <!-- Only one of the logos commonly applied to the bug shall be used here. See the talkpage.-->
10 | CVE = {{CVE|2014-6271}} (initial),<br/>{{CVE|2014-6277}},<br/> {{CVE|2014-6278}},<br/> {{CVE|2014-7169}},<br/> {{CVE|2014-7186}},<br/> {{CVE|2014-7187}}
11 | discovered = {{Start date and age|2014|9|12|df=yes}}
12 | patched = {{Start date and age|2014|9|24|df=yes}}
13 | discoverer = Stéphane Chazelas
14 | affected software = [[Bash (shell)|Bash]] (1.0.3–4.3)
15 | website =
16 }}
17
18 '''Shellshock''', also known as '''Bashdoor''',<ref name="NYT-20140925-NP">{{cite news |last=Perlroth |first=Nicole |title=Security Experts Expect 'Shellshock' Software Bug in Bash to Be Significant |url=https://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html |date=25 September 2014 |work=[[New York Times]] |access-date=25 September 2014 }}</ref> is a family of [[security bug]]s<ref name="TSM-20140927">Although described in some sources as a "virus," Shellshock is instead a design flaw in a program that comes with some operating systems. See => {{cite web |author=Staff |title=What does the "Shellshock" bug affect? |url= http://www.thesafemac.com/what-does-the-shellshock-bug-affect/|date=25 September 2014 |work=The Safe Mac |access-date=27 September 2014 }}</ref> in the [[Unix]] [[Bash (Unix shell)|Bash]] [[shell (computing)|shell]], the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to [[arbitrary code execution|execute arbitrary command]]s and gain unauthorized access<ref name="ZDN-20140929">{{cite web |last=Seltzer |first=Larry |title=Shellshock makes Heartbleed look insignificant |url=http://www.zdnet.com/shellshock-makes-heartbleed-look-insignificant-7000034143/ |date=29 September 2014 |work=[[ZDNet]] |access-date=29 September 2014 }}</ref> to many Internet-facing services, such as web servers, that use Bash to process requests.
19
20 On 12 September 2014, Stéphane Chazelas informed Bash's maintainer Chet Ramey<ref name="NYT-20140925-NP" /> of his discovery of the original bug, which he called "Bashdoor". Working with security experts, Mr. Chazelas developed a [[Patch (computing)|patch]]<ref name="NYT-20140925-NP" /> (fix) for the issue, which by then had been assigned the vulnerability identifier ''{{CVE|2014-6271}}''.<ref name="seclist-q3-650">{{cite web|url=http://seclists.org/oss-sec/2014/q3/650|title=oss-sec: Re: CVE-2014-6271: remote code execution through bash|author=Florian Weimer|work=[[Seclists.org]]|date=24 September 2014|access-date=1 November 2014}}</ref> The existence of the bug was announced to the public on 2014-09-24, when Bash updates with the fix were ready for distribution.<ref name="seclist-q3-666">{{cite web|url=http://seclists.org/oss-sec/2014/q3/666|title=oss-sec: Re: CVE-2014-6271: remote code execution through bash|author=Florian Weimer|work=[[Seclists.org]]|date=24 September 2014|access-date=1 November 2014}}</ref>
21
22 The bug Chazelas discovered caused Bash to unintentionally execute commands when the commands are concatenated to the end of [[subroutine|function definitions]] stored in the values of [[environment variable]]s.<ref name="NYT-20140925-NP" /><ref name="TR-20140924">{{cite web |last=Leyden |first=John |title=Patch Bash NOW: 'Shell Shock' bug blasts OS X, Linux systems wide open |url=https://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ |work=[[The Register]] |date=24 September 2014 |access-date=25 September 2014}}</ref> Within days of its publication, a variety of related vulnerabilities were discovered (''{{CVE|2014-6277|2014-6278|2014-7169|2014-7186|2014-7187|leadout=and}}''). Ramey addressed these with a series of further patches.<ref name="ITN-20140929"/><ref name="zdnet-betterbash"/>
23
24 Attackers exploited Shellshock within hours of the initial disclosure by creating [[botnet]]s of compromised computers to perform [[Denial-of-service attack#Distributed attack|distributed denial-of-service attacks]] and [[vulnerability scanner|vulnerability scanning]].<ref name="Wired" /><ref name="IT-20140926-JS" /> Security companies recorded millions of attacks and probes related to the bug in the days following the disclosure.<ref name="NYT-20140926-NP" /><ref name="businessweek" />
25
26 Because of the potential to compromise millions of unpatched systems, Shellshock was compared to the [[Heartbleed]] bug in its severity.<ref name="ZDN-20140929" /><ref name="mit-tech">{{cite web |last1=Cerrudo |first1=Cesar |title=Why the Shellshock Bug Is Worse than Heartbleed |url=http://www.technologyreview.com/view/531286/why-the-shellshock-bug-is-worse-than-heartbleed/|date=30 September 2014 |website=[[MIT Technology Review]] |access-date=1 October 2014 }}</ref>
27
28 ==Background==
29 The Shellshock bug affects [[Bash (Unix shell)|Bash]], a program that various [[Unix]]-based systems use to execute command lines and command scripts. It is often installed as the system's default [[command-line interface]]. Analysis of the [[source code]] history of Bash shows the bug was introduced on 5 August 1989, and released in Bash version 1.03 on 1 September 1989.<ref name="BASH105_CHANGELOG">{{cite web |last=Fox |first=Brian |title=Bash 1.05 ChangeLog |url=http://www.oldlinux.org/Linux.old/bin/old/bash-1.05/ChangeLog |date=21 March 1990 |access-date=14 October 2014}}</ref><ref name="BASHBUG-20141010-SC">{{cite web |last=Chazelas |first=Stéphane |work=Stéphane Chazelas and Chet Ramey confirm the vulnerability introduction date on Bash official communication channel |title=when was shellshock introduced |url=http://thread.gmane.org/gmane.comp.shells.bash.bugs/22418 |date=10 October 2014 |access-date=14 October 2014 |archive-url=https://web.archive.org/web/20161220033324/http://thread.gmane.org/gmane.comp.shells.bash.bugs/22418 |archive-date=20 December 2016 |url-status=dead }}</ref><ref name="Stack Exchange Thread">{{cite web |last=Chazelas |first=Stéphane |url=https://unix.stackexchange.com/questions/157381/when-was-the-shellshock-cve-2014-6271-7169-bug-introduced-and-what-is-the-pat/157495#157495 |title=When was the shellshock (CVE-2014-6271/7169) bug introduced, and what is the patch that fully fixes it? |date=25 September 2014}}</ref>
30
31 Shellshock is a [[privilege escalation]] vulnerability that offers a way for users of a system to execute commands that should be unavailable to them. This happens through Bash's "function export" feature, whereby command scripts created in one running instance of Bash can be shared with subordinate instances.<ref>{{cite web|url=https://www.gnu.org/software/bash/manual/bash.html#Shell-Functions|title= Bash Reference Manual: Shell Functions |access-date= 2 October 2014}}</ref> This feature is implemented by encoding the scripts within a table that is shared between the instances, known as the [[environment variable]] list. Each new instance of Bash scans this table for encoded scripts, assembles each one into a command that defines that script in the new instance, and executes that command.<ref name="exported-function">{{cite web|url= http://git.savannah.gnu.org/cgit/bash.git/tree/variables.c?id=ac50fbac377e32b98d2de396f016ea81e8ee9961#n315 |title=Bash 4.3 source code, file variables.c, lines 315-388 |access-date= 2 October 2014}}</ref> The new instance assumes that the scripts found in the list come from another instance, but it cannot verify this, nor can it verify that the command that it has built is a properly formed script definition. Therefore, an attacker can execute arbitrary commands on the system or exploit other bugs that may exist in Bash's command interpreter, if the attacker has a way to manipulate the environment variable list and then cause Bash to run.
32
33 The presence of the bug was announced to the public on 2014-09-24, when Bash updates with the fix were ready for distribution,<ref name="seclist-q3-666">{{cite web|url=http://seclists.org/oss-sec/2014/q3/666|title=oss-sec: Re: CVE-2014-6271: remote code execution through bash|author=Florian Weimer|work=[[Seclists.org]]|date=24 September 2014|access-date=1 November 2014}}</ref> though it took some time for computers to be updated to close the potential security issue.
34
35 ==Reports of attacks==
36 Within an hour of the announcement of the Bash vulnerability, there were reports of machines being compromised by the bug. By 25 September 2014, [[botnet]]s based on computers compromised with exploits based on the bug were being used by attackers for [[Denial-of-service attack#Distributed attack|distributed denial-of-service]] (DDoS) attacks and [[vulnerability scanner|vulnerability scanning]].<ref name="Wired" /><ref name="IT-20140926-JS" /><ref name="bbconShellshock">{{cite web |author=Various |title=Web attacks build on Shellshock bug |url=http://m.bbc.com/news/technology-29375636 |date=26 September 2014 |work=[[BBC]] |access-date=26 September 2014 }}</ref> [[Kaspersky Labs]] reported that machines compromised in an attack, dubbed "Thanks-Rob", were conducting DDoS attacks against three targets, which they did not identify.<ref name="Wired">{{cite journal|last1=Greenberg|first1=Andy|title=Hackers Are Already Using the Shellshock Bug to Launch Botnet Attacks|url=https://www.wired.com/2014/09/hackers-already-using-shellshock-bug-create-botnets-ddos-attacks/|journal=Wired|access-date=28 September 2014|date=25 September 2014}}</ref> On 26 September 2014, a Shellshock-related botnet dubbed "wopbot" was reported, which was being used for a DDoS attack against [[Akamai Technologies]] and to scan the [[United States Department of Defense]].<ref name="IT-20140926-JS">{{cite news |last=Saarinen |first=Juha |title=First Shellshock botnet attacks Akamai, US DoD networks |url=http://www.itnews.com.au/News/396197,first-shellshock-botnet-attacks-akamai-us-dod-networks.aspx |date=26 September 2014 |work=iTnews |access-date=26 September 2014 }}</ref>
37
38 On 26 September, the security firm [[Incapsula]] noted 17,400 attacks on more than 1,800 web domains, originating from 400 unique IP addresses, in the previous 24 hours; 55% of the attacks were coming from China and the United States.<ref name="NYT-20140926-NP">{{cite news |last=Perlroth |first=Nicole |title=Companies Rush to Fix Shellshock Software Bug as Hackers Launch Thousands of Attacks |url=http://bits.blogs.nytimes.com/2014/09/26/companies-rush-to-fix-shellshock-software-bug-as-hackers-launch-thousands-of-attacks/ |date=26 September 2014 |work=[[New York Times]] |access-date=29 September 2014 }}</ref> By 30 September, the website performance firm [[CloudFlare]] said it was tracking approximately 1.5 million attacks and probes per day related to the bug.<ref name="businessweek">{{cite web|last1=Strohm|first1=Chris|last2=Robertson|first2=Jordan|title=Shellshock Draws Hacker Attacks, Sparks Race to Patch Bug|url=http://www.businessweek.com/news/2014-09-30/shellshock-draws-hacker-attacks-sparks-race-to-patch-bug|publisher=Businessweek|access-date=1 October 2014|date=30 September 2014 }}</ref>
39
40 On 6 October, it was widely reported that [[Yahoo!]] servers had been compromised in an attack related to the Shellshock issue.<ref>{{cite news |last=Boren |first=Zachary |title=Shellshock: Romanian hackers are accessing Yahoo servers, claims security expert |url=https://www.independent.co.uk/life-style/gadgets-and-tech/news/shellshock-romanian-hackers-are-accessing-yahoo-servers-claims-security-expert-9777753.html |date=6 October 2014 |work=Independent |access-date=7 October 2014 }}</ref><ref>{{cite web | url=http://www.futuresouth.us/wordpress/?p=5 | title=Yahoo! Shellshocked Like Ninja Turtles! | access-date=7 October 2014 | url-status=dead | archive-url=https://web.archive.org/web/20141009075833/http://www.futuresouth.us/wordpress/?p=5 | archive-date=9 October 2014 | df=dmy-all }}</ref>
41 Yet the next day, it was denied that it had been ''Shellshock'' that specifically had allowed these attacks.<ref>{{Cite web|url=http://www.golem.de/news/bash-luecke-yahoo-durch-shellshock-angegriffen-1410-109656.html|work=Golem - IT-News für Profis|access-date=30 October 2014|date=7 October 2014|author=Hanno Böck|title=Yahoo durch Shellshock angegriffen|language=de}}</ref>
42
43 ==Specific exploitation vectors==
44 ; CGI-based web server
45 : When a [[web server]] uses the [[Common Gateway Interface]] (CGI) to handle a document request, it copies certain information from the request into the environment variable list and then delegates the request to a handler program. If the handler is a Bash script, or if it executes one for example using the [http://linux.die.net/man/3/system system(3)] call, Bash will receive the environment variables passed by the server and will process them as described above. This provides a means for an attacker to trigger the Shellshock vulnerability with a specially crafted document request.<ref name="TR-20140924" />
46 : Security documentation for the widely used [[Apache HTTP Server|Apache]] web server states: "CGI scripts can ... be extremely dangerous if they are not carefully checked,"<ref>{{cite web|url=http://httpd.apache.org/docs/2.2/misc/security_tips.html|title=Apache HTTP Server 2.2 Documentation: Security Tips|access-date=2 October 2014}}</ref> and other methods of handling web server requests are typically used instead. There are a number of online services which attempt to test the vulnerability against web servers exposed to the Internet.{{citation needed|date=September 2014}}
47 ; OpenSSH server
48 : [[OpenSSH]] has a "ForceCommand" feature, where a fixed command is executed when the user logs in, instead of just running an unrestricted command shell. The fixed command is executed even if the user specified that another command should be run; in that case the original command is put into the environment variable "SSH_ORIGINAL_COMMAND". When the forced command is run in a Bash shell (if the user's shell is set to Bash), the Bash shell will parse the SSH_ORIGINAL_COMMAND environment variable on start-up, and run the commands embedded in it. The user has used their restricted shell access to gain unrestricted shell access, using the Shellshock bug.<ref name="qualys">{{cite web|url=https://blog.qualys.com/laws-of-vulnerabilities/2014/09/24/bash-shellshock-vulnerability|title=The Laws of Vulnerabilities|publisher=Qualys.com|author=Wolfgang Kandek|date=24 September 2014|access-date=26 September 2014|url-status=bot: unknown|archive-url=https://web.archive.org/web/20160503034655/https://blog.qualys.com/laws-of-vulnerabilities/2014/09/24/bash-shellshock-vulnerability|archive-date=3 May 2016}}</ref>
49 ; DHCP clients
50 : Some [[Dynamic Host Configuration Protocol|DHCP]] clients can also pass commands to Bash; a vulnerable system could be attacked when connecting to an open Wi-Fi network. A DHCP client typically requests and gets an IP address from a DHCP server, but it can also be provided a series of additional options. A malicious DHCP server could provide, in one of these options, a string crafted to execute code on a vulnerable workstation or laptop.<ref name="mit-tech"/>
51 ; Qmail server
52 : When using Bash to process email messages (e.g. through .forward or qmail-alias piping), the [[qmail]] mail server passes external input through in a way that can exploit a vulnerable version of Bash.<ref>[http://www.gossamer-threads.com/lists/qmail/users/138578 "qmail is a vector for CVE-2014-6271 (bash shellshock)"], 27 September 2014, Kyle George, qmail mailing list</ref><ref>[http://www.itnews.com.au/News/396256,further-flaws-render-shellshock-patch-ineffective.aspx "Further flaws render Shellshock patch ineffective"], 29 September 2014, Juha Saarinen, itnews.com.au</ref>
53 ; IBM HMC restricted shell
54 : The bug can be exploited to gain access to Bash from the [[restricted shell]] of the [[IBM Hardware Management Console]],<ref>[https://www.ibm.com/developerworks/community/blogs/brian/resource/BLOGS_UPLOADED_IMAGES/shellshock.png "IBM HMC is a vector for CVE-2014-6271 (bash "shellshock")]</ref> a tiny Linux variant for system administrators. IBM released a patch to resolve this.<ref name="ibm-hmc">{{cite web |url=https://www-304.ibm.com/support/docview.wss?uid=ssg1S1004879 | title=Security Bulletin: Vulnerabilities in Bash affect DS8000 HMC (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) | publisher=IBM | date=3 October 2014 | access-date=2 November 2014}}</ref>
55
56 ==Reported vulnerabilities==
57 ===Overview===
58 The maintainer of Bash was warned about the first discovery of the bug on 2014-09-12; a fix followed soon.<ref name="NYT-20140925-NP" /> A few companies and distributors were informed before the matter was publicly disclosed on 2014-09-24 with CVE identifier {{CVE|2014-6271}}.<ref name="seclist-q3-650" /><ref name="seclist-q3-666" /> However, after the release of the patch there were subsequent reports of different, yet related vulnerabilities.<ref name="wheeler-summary">{{cite web | url=http://www.dwheeler.com/essays/shellshock.html | title=Shellshock | date=13 February 2015 | access-date=17 September 2016}}</ref>
59
60 On 26 September 2014, two open-source contributors, David A. Wheeler and Norihiro Tanaka, noted that there were additional issues, even after patching systems using the most recently available patches. In an email addressed to the oss-sec and bash-bug mailing lists, Wheeler wrote: "This patch just continues the 'whack-a-mole' job of fixing parsing errors that began with the first patch. Bash's parser is certain [to] have many many many other vulnerabilities".<ref name="BASH Whack-a-mole">{{cite web |last=Gallagher |first=Sean |title=Still more vulnerabilities in bash? Shellshock becomes whack-a-mole |url=https://arstechnica.com/security/2014/09/still-more-vulnerabilities-in-bash-shellshock-becomes-whack-a-mole/|date=26 September 2014 |publisher=[[Arstechnica]] |access-date=26 September 2014}}</ref>
61
62 On 27 September 2014, [[Michał Zalewski]] from [[Google Inc.]] announced his discovery of other Bash vulnerabilities,<ref name="ITN-20140929">{{cite web |last=Saarinen |first=Juha |title=Further flaws render Shellshock patch ineffective |url=http://www.itnews.com.au/News/396256,further-flaws-render-shellshock-patch-ineffective.aspx |date=29 September 2014 |work=iTnews |access-date=29 September 2014 }}</ref> one based upon the fact that Bash is typically compiled without [[address space layout randomization]].<ref name="HH-20140928">{{cite web |author=Staff |title=Shellshock, Part 3: Three more security problems in Bash (in german) |url=http://www.heise.de/security/meldung/ShellShock-Teil-3-Noch-drei-Sicherheitsprobleme-bei-der-Bash-2404788.html |date=28 September 2014 |work=[[Heise Online]] |access-date=28 September 2014 }}</ref> On 1 October, Zalewski released details of the final bugs and confirmed that a patch by Florian Weimer from [[Red Hat]] posted on 25 September does indeed prevent them. He has done that using a [[fuzzing]] technique with the aid of software utility known as ''[[american fuzzy lop (fuzzer)|american fuzzy lop]]''.<ref name="lcamtuf-oct-1">{{cite web | url=http://lcamtuf.blogspot.com/2014/10/bash-bug-how-we-finally-cracked.html | title=Bash bug: the other two RCEs, or how we chipped away at the original fix (CVE-2014-6277 and '78) | work=lcamtuf blog | date=1 October 2014 | access-date=8 October 2014}}</ref>
63
64 ===Initial report (CVE-2014-6271)===
65 This original form of the vulnerability ({{CVE|2014-6271}}) involves a specially crafted environment variable containing an exported function definition, followed by arbitrary commands. Bash incorrectly executes the trailing commands when it imports the function.<ref name="nvd6271">{{cite web|url=http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271|title=Vulnerability Summary for CVE-2014-6271|publisher=NIST|date=4 October 2014|access-date=8 October 2014}}</ref> The vulnerability can be tested with the following command:
66
67 <syntaxhighlight lang="bash">env x='() { :;}; echo vulnerable' bash -c "echo this is a test"</syntaxhighlight>
68
69 In systems affected by the vulnerability, the above commands will display the word "vulnerable" as a result of Bash executing the command '''''"echo&nbsp;vulnerable"''''', which was embedded into the specially crafted environment variable named '''''"x"'''''.<ref name="zdnet-betterbash" /><ref>{{cite web|url=https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/|title=Bash specially-crafted environment variables code injection attack|work=Red Hat Security|access-date=2 October 2014}}</ref>
70
71 ===CVE-2014-6277 ===
72 Discovered by [[Michał Zalewski]],<ref name="ITN-20140929" /><ref name="HH-20140928" /><ref name="NIST-20140927">{{cite web |author=Staff |title=National Cyber Awareness System Vulnerability Summary for CVE-2014-6277 |url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277 |date=27 September 2014 |work=[[National Institute of Standards and Technology]] |access-date=28 September 2014 }}</ref> the vulnerability {{CVE|2014-6277}}, which relates to the parsing of function definitions in environment variables by Bash, can cause a [[Segmentation fault|segfault]].<ref name="PCW-20140929">{{cite web |last1=Constatin |first1=Lucian |title=Improved patch tackles new Shellshock Bash bug attack vectors |url=http://www.pcworld.com/article/2688932/improved-patch-tackles-new-shellshock-attack-vectors.html |date=29 September 2014 |website=[[PC World]] |access-date=1 October 2014 }}</ref>
73
74 ===CVE-2014-6278===
75 Also discovered by [[Michał Zalewski]],<ref name="PCW-20140929" /><ref>{{cite web |author=Staff |title=National Cyber Awareness System Vulnerability Summary for CVE-2014-6278 |url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278 |date=30 September 2014 |work=[[National Institute of Standards and Technology]] |access-date=1 October 2014 }}</ref> this bug ({{CVE|2014-6278}}) relates to the parsing of function definitions in environment variables by Bash.
76
77 ===CVE-2014-7169===
78 On the same day the original vulnerability was published, Tavis Ormandy discovered this related bug ({{CVE|2014-7169}}),<ref name="qualys" /> which is
79 demonstrated in the following code:
80
81 <syntaxhighlight lang="bash">
82 env X='() { (a)=>\' bash -c "echo date"; cat echo
83 </syntaxhighlight>
84
85 On a vulnerable system, this would execute the command "date" unintentionally.<ref name="qualys" />
86
87 Here is an example of a system that has a patch for CVE-2014-6271 but not CVE-2014-7169:
88 <syntaxhighlight lang="console">
89 $ X='() { (a)=>\' bash -c "echo date"
90 bash: X: line 1: syntax error near unexpected token `='
91 bash: X: line 1: `'
92 bash: error importing function definition for `X'
93 $ cat echo
94 Fri Sep 26 01:37:16 UTC 2014
95 </syntaxhighlight>
96
97 The system displays syntax errors, notifying the user that CVE-2014-6271 has been prevented, but still writes a file named 'echo', into the working directory, containing the result of the 'date' call.
98
99 A system patched for both CVE-2014-6271 and CVE-2014-7169 will simply echo the word "date" and the file "echo" will ''not'' be created, as shown below:
100
101 <syntaxhighlight lang="console">
102 $ X='() { (a)=>\' bash -c "echo date"
103 date
104 $ cat echo
105 cat: echo: No such file or directory
106 </syntaxhighlight>
107
108 ===CVE-2014-7186===
109 Florian Weimer and Todd Sabin found this bug ({{CVE|2014-7186}}),<ref name="zdnet-betterbash">{{cite web|last1=Vaughan-Nichols|first1=Steven|title=Shellshock: Better 'bash' patches now available|url=http://www.zdnet.com/shellshock-better-bash-patches-now-available-7000034115/|publisher=ZDNet|access-date=29 September 2014|date=27 September 2014 }}</ref><ref name="lcamtuf-oct-1" /> which relates to an [[buffer overflow|out-of-bounds memory access error]] in the Bash parser code.<ref>{{cite web |author=Staff |title=National Cyber Awareness System Vulnerability Summary for CVE-2014-7186 |url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186 |date=29 September 2014 |work=[[National Institute of Standards and Technology]] |access-date=1 October 2014 }}</ref>
110
111 An example of the vulnerability, which leverages the use of multiple "<<EOF" declarations (nested [[Here document|"here documents"]]):
112 <syntaxhighlight lang="bash">
113 bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' ||
114 echo "CVE-2014-7186 vulnerable, redir_stack"
115 </syntaxhighlight>
116 A vulnerable system will echo the text "CVE-2014-7186 vulnerable, redir_stack".
117
118 ===CVE-2014-7187===
119 Also found by Florian Weimer,<ref name="zdnet-betterbash" /> {{CVE|2014-7187}} is an [[off-by-one error]] in the Bash parser code, allowing out-of-bounds memory access.<ref>{{cite web |author=Staff |title=National Cyber Awareness System Vulnerability Summary for CVE-2014-7187 |url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187 |date=29 September 2014 |work=[[National Institute of Standards and Technology]] |access-date=1 October 2014 }}</ref>
120
121 An example of the vulnerability, which leverages the use of multiple "done" declarations:
122 <syntaxhighlight lang="bash">
123 (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash ||
124 echo "CVE-2014-7187 vulnerable, word_lineno"
125 </syntaxhighlight>
126
127 A vulnerable system will echo the text "CVE-2014-7187 vulnerable, word_lineno". This test requires a shell that supports [[brace expansion]].<ref>{{cite web|last1=Ramey|first1=Chet|title=Re: CVE-2014-7187|url=http://lists.gnu.org/archive/html/bug-bash/2014-10/msg00139.html|website=lists.gnu.org}}</ref>
128
129 == Patches ==
130 Until 24 September 2014, Bash maintainer Chet Ramey provided a patch version bash43-025 of Bash 4.3 addressing CVE-2014-6271,<ref>{{cite web
131 |url=http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025 |title=BASH PATCH REPORT |date=12 September 2014 |website=[[GNU.org]] |access-date=2 November 2014
132 }}</ref> which was already packaged by distribution maintainers. On 24 September, bash43-026 followed, addressing CVE-2014-7169.<ref>{{cite web
133 |url=http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026 |title=BASH PATCH REPORT |date=25 September 2014 |website=[[GNU.org]] |access-date=2 November 2014
134 }}</ref>
135 Then CVE-2014-7186 was discovered. Florian Weimer from [[Red Hat]] posted some patch code for this "unofficially" on 25 September,<ref>{{cite web |url=http://www.openwall.com/lists/oss-security/2014/09/25/13 |title=Re: CVE-2014-6271: remote code execution through bash |last=Weimer |first=Florian |date=25 September 2014 |website=[[Openwall Project]] |access-date=2 November 2014
136 }}</ref>
137 which Ramey incorporated into Bash as bash43-027.<ref>{{cite web
138 |url=http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027 |title=BASH PATCH REPORT |date=25 September 2014 |website=[[GNU.org]] |access-date=2 November 2014
139 }}</ref><ref>{{cite web
140 | last=Gallagher | first=Sean | title=New "Shellshock" patch rushed out to resolve gaps in first fix [Updated] |date=26 September 2014 | access-date=2 November 2014|url=https://arstechnica.com/security/2014/09/new-shellshock-patch-rushed-out-to-resolve-gaps-in-first-fix/}}</ref>—These patches provided ''code'' only, helpful only for those who know how to [[compile]] ("[[software build|rebuild]]") a new Bash [[binary executable]] file from the patch file and remaining source code files.
141
142 The next day, Red Hat officially presented according updates for [[Red Hat Enterprise Linux]],<ref>{{cite web |url=https://rhn.redhat.com/errata/RHSA-2014-1306.html |title=Important: bash security update |date=30 September 2014 |publisher=Red Hat |access-date=2 November 2014
143 }}</ref><ref name="rh-art">{{cite web
144 |url=https://access.redhat.com/articles/1200223 |title=Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169) |date=2 October 2014 |publisher=Red Hat |access-date=2 November 2014
145 }}</ref> after another day for [[Fedora (operating system)|Fedora 21]].<ref>{{cite web
146 |url=https://lists.fedoraproject.org/pipermail/package-announce/2014-September/139129.html |title=[SECURITY] Fedora 21 Update: bash-4.3.25-2.fc21 |date=27 September 2014 |website=FedoraProject.org |access-date= 2 November 2014
147 }}</ref>
148 [[Canonical Ltd.]] presented updates for its [[Ubuntu (operating system)|Ubuntu]] ''Long Term Support'' versions on Saturday, 27 September;<ref>{{cite web
149 |url=http://www.ubuntu.com/usn/usn-2364-1/ |title=USN-2364-1: Bash vulnerabilities |date=27 September 2014 |publisher=Canonical Ltd. |access-date=2 November 2014
150 }}</ref>
151 on Sunday, there were updates for [[SUSE Linux Enterprise]].<ref>{{cite web
152 |url=http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00042.html |title=SUSE Security Update: Security update for bash |date=28 September 2014 |publisher=[[OpenSUSE]] |access-date= 2 November 2014
153 }}</ref>
154 The following Monday and Tuesday at the end of the month, [[MacOS|Mac OS X]] updates appeared.<ref>{{cite web|url = http://www.macrumors.com/2014/09/29/apple-os-x-mavericks-bash-update/|title = Apple Releases OS X Bash Update to Fix 'Shellshock' Security Flaw in Mavericks, Mountain Lion, and Lion|first = Juli|last = Clover|work = MacRumors.com|date = 29 September 2014|access-date = 2 October 2014}}</ref><ref>{{cite web|url = http://www.macrumors.com/2014/09/30/os-x-yosemite-developer-preview-9/|title = Apple Releases OS X Yosemite Golden Master Candidate to Developers [Update: Also Public Beta]|first = Eric|last = Slivka|work = MacRumors.com|date = 30 September 2014|access-date = 2 October 2014}}</ref>
155
156 On 1 October 2014, [[Michał Zalewski]] from [[Google Inc.]] finally stated that Weimer's code and bash43-027 had fixed not only the first three bugs but even the remaining three that were published after bash43-027, including his own two discoveries.<ref name="lcamtuf-oct-1" /> This means that after the earlier distribution updates, no other updates have been required to cover all the six issues.<ref name="rh-art" />
157
158 All of them have also been covered for the [[#Specific_exploitation_vectors|IBM ''Hardware Management Console'']].<ref name="ibm-hmc" />
159
160 ==References==
161 {{reflist|30em}}
162
163 ==External links==
164 {{Commons category|Shellshock (software bug)}}
165 {{Portal|Internet}}
166
167 * [[National Institute of Standards and Technology|NIST]] [http://nvd.nist.gov/home.cfm National Vulnerability Database] & [[Common Vulnerabilities and Exposures|CVE]] [http://cve.mitre.org Common Vulnerabilities and Exposures]
168 ** CVE-2014-6271 - [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 20140924nist] & [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271 20140909cve] (first bug)
169 ** CVE-2014-6277 - [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277 20140927nist] & [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277 20140909cve]
170 ** CVE-2014-6278 - [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278 20140930nist] & [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278 20140909cve]
171 ** CVE-2014-7169 - [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 20140924nist] & [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169 20140924cve] (second bug)
172 ** CVE-2014-7186 - [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186 20140929nist] & [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186 20140925cve]
173 ** CVE-2014-7187 - [https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187 20140929nist] & [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187 20140925cve]
174 * [https://ftp.gnu.org/gnu/bash/ Bash source code] from the [[GNU Project]], includes patches for known vulnerabilities (28 September 2014)
175 * [https://www.fireeye.com/blog/threat-research/2014/09/shellshock-in-the-wild.html "Shellshock in the Wild", Malware droppers, Reverse shells & backdoors, Data exfiltration, and DDoS] at [[FireEye, Inc.]]
176 * [https://isc.sans.edu/diary/Shellshock%3A+A+Collection+of+Exploits+seen+in+the+wild/18725 Collection of attacks seen in the wild (29 September 2014)] at [[SANS Institute]]
177 * [http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html Security Alert for CVE-2014-7169] at [[Oracle Corporation|Oracle]]
178 * [http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2090740 "VMware remediation of Bash Code Injection Vulnerability via Specially Crafted Environment Variables"] at [[VMware]]
179 * [https://www.cyberwatch.fr/en/vulnerabilities Cyberwatch Vulnerabilities Database]
180 ** [https://www.cyberwatch.fr/en/vulnerabilities/CVE-2014-6271 CVE-2014-6271]
181 ** [https://www.cyberwatch.fr/en/vulnerabilities/CVE-2014-6277 CVE-2014-6277]
182 ** [https://www.cyberwatch.fr/en/vulnerabilities/CVE-2014-6278 CVE-2014-6278]
183 ** [https://www.cyberwatch.fr/en/vulnerabilities/CVE-2014-7169 CVE-2014-7169]
184 ** [https://www.cyberwatch.fr/en/vulnerabilities/CVE-2014-7186 CVE-2014-7186]
185 ** [https://www.cyberwatch.fr/en/vulnerabilities/CVE-2014-7187 CVE-2014-7187]
186 * [https://www.yeahhub.com/shellshock-vulnerability-exploitation-metasploit-framework/ ShellShock Exploitation with Metasploit Framework]
187
188 {{Hacking in the 2010s}}
189
190 [[Category:2014 in computing]]
191 [[Category:Injection exploits]]
192 [[Category:Internet security]]
193 [[Category:Software bugs]]