
Quick notes about the bash bug, its impact, and the fixes so far - robin_reala
http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html
======
pilif
This is a perfect example of why you should never, ever put special magical
values in-band with a facility which has a different purpose normally.

I know it's tempting and in many cases, it will save you a lot of work, but it
will eventually lead to data corruption, or, way worse, a problem like this
one here.

People in the office complain about my annoyed remarks when they succumb to
the dark side and use some special values. My question "but what if a real
value is ever sent that looks like one of these magic values?" is usually
countered with "but who's ever going to send this value?".

This bug here is providing me with a perfect answer to that question:
"Security researchers, or worse, bad guys".

There are so many ways of transferring functions to subshells that don't
involve magic values in a free-form key/value store, but all of them would
have been more complicated, so people chose the quick hack.

And now the sh*t has hit the fan :(

~~~
userbinator
_My question "but what if a real value is ever sent that looks like one of
these magic values?" is usually countered with "but who's ever going to send
this value?"_

Have experienced the same situation so many times with CSV... "Who's ever
going to have a doublequote in their name?" At least there is an escaping
facility in most formats.

I haven't seen any "how this was discovered" for the bash bug, but my bet is
that someone needed to store "() {" in an environment variable in a shell
script. It's not inconceivable - the first thing that comes to mind is a shell
script that generates shell script functions.

 _There are so many ways of transferring functions to subshells that don 't
involve magic values in a free-form key/value store, but all of them would
have been more complicated, so people chose the quick hack._

I'd say the problem is more that they chose to use the name of the function as
the name of the environment variable; this would not have been an issue if it
stuffed all the function definitions together in an environment variable with
a special name, like BASH_FUNCS. Shells already interpret environment
variables with special names in certain ways (e.g. PS1, PROMPT_COMMAND), up to
and including command execution, so this way would fit with that model far
better.

~~~
Floegipoky
I was just looking at
[http://stackoverflow.com/a/941390/2517719](http://stackoverflow.com/a/941390/2517719)
on monday, and I completely missed the implications.

------
tobinfricke
Reminds me of this:

"Nobody really knows what the Bourne shell's grammar is. Even examination of
the source code is little help." — Tom Duff

[http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.41....](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.41.3287&rep=rep1&type=pdf)

Sounds like a time-bomb for exploitable unexpected behavior.

~~~
wereHamster
> Ree88. J. Reeds, ‘‘/bin/sh: the biggest UNIX security loophole,’’
> 11217-840302-04TM, AT&T Bell Laboratories (1988).

~~~
dfc
Do you have a copy of or link to that article? Or are you just pasting a
citation with a cute title? I have stumbled across that citation a couple of
times but I have never been able to find it.

------
ck2
Someone really needs to interview Stephane Chazelas and ask them how the heck
they found this flaw in the first place (after 15 years).

------
sp332
I thought the patch wasn't that effective? Is there a PoC that runs on a
patched system anymore?

Edit: found one
[https://news.ycombinator.com/item?id=8365216](https://news.ycombinator.com/item?id=8365216)

------
chomp
So has a new patch come out? I hacked up a temporary patch that fixes this
last night after the new PoC was released, but I'd rather have something from
upstream.

~~~
f-
There is an unofficial patch that takes a much more reasonable approach:

[http://www.openwall.com/lists/oss-
security/2014/09/25/13](http://www.openwall.com/lists/oss-
security/2014/09/25/13)

------
TeeWEE
So only servers actually executing bash with input from browser (cookies etc)
are affected (like CGI)?

~~~
manicdee
Plus any DHCP client that runs shell scripts using parameters from The Evil
DHCP Server, for example.

------
vpeters25
Could we fork bash to make this "feature" configurable?

~~~
vpeters25
Replying to myself just to point bash doesn't seem to be up to date in the
"official" repository at gnu.org. Are distros maintaining their own forks?

~~~
davexunit
Distros typically maintain a set of their own patches that go on top of the
officially released source.

