MCI Telecommunications internetMCI Security Group Report Name: iMCI MIIGS Security Alert Report Number: iMCISE:IMCICERT:111196:01:P1R1 Report Date: 11/11/96 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) ---------------------------------------------------------------------------- --- -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT(sm) Advisory CA-96.22 Original issue date: October 8, 1996 Last revised: -- Topic: Vulnerabilities in bash - ------------------------------------------------------------------------------ The original technical content for this advisory was published by the IBM-ERS response team and is used here with their permission. This advisory describes two problems with the GNU Project's Bourne Again SHell (bash): one in yy_string_get() and one in yy_readline_get(). The vulnerability in yy_string_get() allows the character with value 255 decimal to be used as a command separator. When used in environments where users provide strings to be used as commands or arguments to commands, bash can be tricked into executing arbitrary commands. It is not clear whether the problem with yy_readline_get() results in an exploitable vulnerability, though you may want to address both problems for completeness. The problems affect bash versions 1.14.6 and earlier. The CERT/CC team recommends that you upgrade to bash 1.14.7 as soon as possible, as discussed in Section III.A below. Section III.B contains a patch for 1.14.7, which we recommend using to address the yy_readline_get() problem. We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site. - ---------------------------------------------------------------------------- I. Description A. Introduction The GNU Project's Bourne Again SHell (bash) is a drop-in replacement for the UNIX Bourne shell (/bin/sh). It offers the same syntax as the standard shell, and it also includes additional functionality such as job control, command line editing, and history. Although bash can be compiled and installed on almost any UNIX platform, its most prevalent use is on "free" versions of UNIX such as Linux, where it has been installed as "/bin/sh" (the default shell for most uses). The bash source code is freely available from many sites on the Internet. B. Vulnerability Details 1. Vulnerability in yy_string_get() There is a variable declaration error in the "yy_string_get()" function in the "parse.y" module of the "bash" source code. This function is responsible for parsing the user-provided command line into separate tokens (commands, special characters, arguments, etc.). The error involves the variable "string", which has been declared to be of type "char *". The "string" variable is used to traverse the character string containing the command line to be parsed. As characters are retrieved from this pointer, they are stored in a variable of type "int". On systems/compilers where the "char" type defaults to "signed char" this value will be sign-extended when it is assigned to the "int" variable. For character code 255 decimal (-1 in two's complement form), this sign extension results in the value (-1) being assigned to the integer. However, (-1) is used in other parts of the parser to indicate the end of a command. Thus, the character code 255 decimal (377 octal) will serve as an unintended command separator for commands given to bash via the "-c" option. For example, bash -c 'ls\377who' (where "\377" represents the single character with value 255 decimal) will execute two commands, "ls" and "who". 2. Possible vulnerability in yy_readline_get() A similar problem exists with the "yy_readline_get()" function, which is also in the file "parse.y" and which is used to read commands in interactive shells (ones that print a prompt and read from the keyboard, a shell script, or a pipe). It is not clear that this problem produces any exploitable vulnerabilities in the bash program; however, you may wish to address the problem for the sake of completeness. II. Impact This unexpected command separator can be dangerous, especially on systems such as Linux where bash has been installed as "/bin/sh," when a program executes a command with a string provided by a user as an argument using the "system()" or "popen()" functions (or by calling "/bin/sh -c string" directly). This is especially true for the CGI programming interface in World Wide Web servers, many of which do not strip out characters with value 255 decimal. If a user sending data to the server can specify the character code 255 in a string that is passed to a shell, and that shell is bash, the user can execute any arbitrary command with the user-id and permissions of the user running the server (frequently "root"). The bash built-in commands "eval," "source," and "fc" are also potentially vulnerable to this problem. III. Solution A. Vulnerability in yy_string_get On 27 August 1996, Version 1.14.7 of bash was released. You can obtain this new version from: ftp://slc2.ins.cwru.edu/pub/dist/bash-1.14.7.tar.gz B. Vulnerability in yy_readline_get It is not clear that this problem produces any exploitable vulnerabilities in the "bash" program; however, you may wish to address the problem for the sake of completeness. This problem can be alleviated by applying the patch below to the bash source code, then recompiling the program, and installing the new version. The patch below is for Version 1.14.7 of bash. Source code for this version can be obtained from the site listed above. - ---------------------------------- cut here --------------------------------- *** parse.y.old Mon Aug 26 11:15:55 1996 - - - - --- parse.y Wed Aug 28 08:49:15 1996 *************** *** 801,807 **** #if defined (READLINE) char *current_readline_prompt = (char *)NULL; ! char *current_readline_line = (char *)NULL; int current_readline_line_index = 0; static int - - - - --- 801,807 ---- #if defined (READLINE) char *current_readline_prompt = (char *)NULL; ! unsigned char *current_readline_line = (unsigned char *)NULL; int current_readline_line_index = 0; static int - --------------------------------- cut here ---------------------------------- To apply this patch, save the text between the two "--- cut here ---" lines to a file, change directories to the bash source directory, and issue the command patch < filename If you do not have the patch program, you can obtain it from ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz or you can apply the patch by hand. After applying the patch, recompile and reinstall the bash program by following the directions in the "INSTALL" file, included as part of the bash distribution. - ---------------------------------------------------------------------------- The CERT Coordination Center thanks IBM-ERS for permission to reproduce the technical content in their IBM Emergency Response Service Security Vulnerability Alerts ERS-SVA-E01-1006:004.1 and ERS-SVA-E01-1006:004.2. These alerts are copyrighted 1996 International Business Machines Corporation. - ---------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see ftp://info.cert.org/pub/FIRST/first-contacts). CERT/CC Contact Information - --------------------------- Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA Using encryption We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key Getting security information CERT publications and other security information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send your email address to cert-advisory-request@cert.org - ----------------------------------------------------------------------------- Copyright 1996 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University. - ----------------------------------------------------------------------------- This file: ftp://info.cert.org/pub/cert_advisories/CA-96.22.bash_vuls http://www.cert.org click on "CERT Advisories" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMlpe6nVP+x0t4w7BAQGXjQP7BkkMX06QR3nQEV2FV6Qo4p0bVSU88Kef a9kjcXhJyUM1gE0QnLNo8dbL5PAUvatlRDowZv71l+UTh0BZum8apq+dpOhe+WF+ ko95vQEqKbfSkY7FiTrOY/gKJZWMV31ddlwCldl68OKbuRqQg6hfgWSQX264jWb3 m+nIj5VkuK8= =Fodb -----END PGP SIGNATURE----- ===============================================================