RE: GNU Bash profile code execution vulnerability enquiry
Thanks Chet and Greg for your swift replies. I'll park it as a non-vulnerability. Regards Rachel Rachel Alderman IBM Cloud Kubernetes Security Compliance IBM United Kingdom Limited, Mailpoint 211, Hursley, Winchester, SO21 2JN. Email: rachel_alder...@uk.ibm.com I work part-time and my working days are Wednesday, Thursday and Friday. IBM United Kingdom Limited Registered in England and Wales with number 741598 Registered office: PO Box 41, North Harbour, Portsmouth, Hants. PO6 3AU From: Chet Ramey To: Rachel Alderman , bug-bash@gnu.org Cc: chet.ra...@case.edu Date: 28/10/2020 18:21 Subject:[EXTERNAL] Re: GNU Bash profile code execution vulnerability enquiry On 10/28/20 1:11 PM, Rachel Alderman wrote: > Hi Bash Maintainers, > > I've been made aware of a GNU Bash profile code execution vulnerability > https://urldefense.proofpoint.com/v2/url?u=https-3A__exchange.xforce.ibmcloud.com_vulnerabilities_173116=DwICaQ=jf_iaSHvJObTbx-siA1ZOg=n8y5uKM5g4nhsINWSXY-6PahOH6ZD7tHCCCT1n2Jwds=dD-fw0FFUuB8yk2vU9EDQMfpw9sR_9KXp1y1wqryDuI=exih7GRA372ne8AH5dBECaDKdYkAJ0DaOWfwxMExcFc= reported last > December (2019-12-16) > Description: GNU Bash could allow a remote attacker to execute arbitrary > code on the system, caused by improper access control by the Bash profile. > By persuading a victim to open the Bash terminal, an attacker could > exploit this vulnerability to execute arbitrary code on the system. Hi, Rachel. Thanks for the report. This does not describe a bash vulnerability. Executing a profile file at shell startup is a standard shell feature. If an attacker has write access to a user's profile file, they can modify it to include potentially malicious commands, but this does not constitute a bash vulnerability. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.edu https://urldefense.proofpoint.com/v2/url?u=http-3A__tiswww.cwru.edu_-7Echet_=DwICaQ=jf_iaSHvJObTbx-siA1ZOg=n8y5uKM5g4nhsINWSXY-6PahOH6ZD7tHCCCT1n2Jwds=dD-fw0FFUuB8yk2vU9EDQMfpw9sR_9KXp1y1wqryDuI=NRtTflYJyUK8VIImivppfYCSpSg7Nt65PYReNZRAiI0= Unless stated otherwise above: IBM United Kingdom Limited - Registered in England and Wales with number 741598. Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU smime.p7s Description: S/MIME Cryptographic Signature
Re: GNU Bash profile code execution vulnerability enquiry
On 10/28/20 1:11 PM, Rachel Alderman wrote: > Hi Bash Maintainers, > > I've been made aware of a GNU Bash profile code execution vulnerability > https://exchange.xforce.ibmcloud.com/vulnerabilities/173116 reported last > December (2019-12-16) > Description: GNU Bash could allow a remote attacker to execute arbitrary > code on the system, caused by improper access control by the Bash profile. > By persuading a victim to open the Bash terminal, an attacker could > exploit this vulnerability to execute arbitrary code on the system. Hi, Rachel. Thanks for the report. This does not describe a bash vulnerability. Executing a profile file at shell startup is a standard shell feature. If an attacker has write access to a user's profile file, they can modify it to include potentially malicious commands, but this does not constitute a bash vulnerability. Chet -- ``The lyf so short, the craft so long to lerne.'' - Chaucer ``Ars longa, vita brevis'' - Hippocrates Chet Ramey, UTech, CWRUc...@case.eduhttp://tiswww.cwru.edu/~chet/
Re: GNU Bash profile code execution vulnerability enquiry
On 10/28/20 1:11 PM, Rachel Alderman wrote: > Hi Bash Maintainers, > > I've been made aware of a GNU Bash profile code execution vulnerability > https://exchange.xforce.ibmcloud.com/vulnerabilities/173116 reported last > December (2019-12-16) > Description: GNU Bash could allow a remote attacker to execute arbitrary > code on the system, caused by improper access control by the Bash profile. > By persuading a victim to open the Bash terminal, an attacker could > exploit this vulnerability to execute arbitrary code on the system. > https://packetstormsecurity.com/files/155687 > CVSS Base Score: 8.8 > CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) > There is no CVE identifier associated with the vulnerability and I've been > unable to determine whether there is a remediation available. Is anyone > aware of this vulnerability and where it may be tracked in Gnu Bash? I looked at your links. It seems this is a metasploit module of type "payload". Metasploit modules come in different types: - exploit: use a vulnerability to break into a system - payload: once the exploit is successful, inject shellcode into the system to do something malicious This specific payload uses a benevolent feature of GNU bash, subverted to evil purposes: the ability to run initialization commands when opening the terminal. In this case, the initialization command is a malware payload. There is no code execution vulnerability here, bash is a program that exists solely to performs code execution and you are supposed to treat your bash profile as security-sensitive. There is no way for an attacker to exploit this over the network. Bash does not read a profile from the network, and the profile is not accessible over the network. An attacker would need to first log in to your system with full privileges in order to install the malware. The malware would then run locally. Of course, any malware might itself contain a service to communicate over the network and receive updated attack instructions or open a backdoor. But this does not mean Bash itself is vulnerable to network attacks... ... In short: The IBM X-Force Exchange entry is completely incorrect and misunderstood the packetstorm link. The entry should be withdrawn entirely. -- Eli Schwartz Arch Linux Bug Wrangler and Trusted User signature.asc Description: OpenPGP digital signature
Re: GNU Bash profile code execution vulnerability enquiry
On Wed, Oct 28, 2020 at 05:11:42PM +, Rachel Alderman wrote: > I've been made aware of a GNU Bash profile code execution vulnerability > https://exchange.xforce.ibmcloud.com/vulnerabilities/173116 reported last > December (2019-12-16) This URL doesn't work without Javascript, and with Javascript enabled, it pops up a semi-translucent "please log in" window covering most of the text. The text that *is* visible appears to be only this: > Description: GNU Bash could allow a remote attacker to execute arbitrary > code on the system, caused by improper access control by the Bash profile. > By persuading a victim to open the Bash terminal, an attacker could > exploit this vulnerability to execute arbitrary code on the system. That doesn't tell us much. > https://packetstormsecurity.com/files/155687 That URL talks about writing something to the user's .bashrc so that next time they open bash, something bad happens. If you've got write access to the user's .bashrc file then sure, you can screw them up pretty badly. > There is no CVE identifier associated with the vulnerability ... so it's not even recognized as a real vulnerability by world experts? > and I've been > unable to determine whether there is a remediation available. Is anyone > aware of this vulnerability and where it may be tracked in Gnu Bash? "Remediation" for what, exactly? I'm not seeing any description of an actual exploit. Not even a vague one. Do you have any details on how this "exploit" is performed?