Shellshock CVE-2014-6277 and CVE-2014-6278 Details Released

October 2, 2014 4:46 am Tags: , No Comments 0

Yesterday, we released an article on Akamai’s security site detailing all of the CVE advisories now in circulation for Shellshock, and how they relate to Akamai’s mitigation strategies. At the time we published, details had not yet been released for two of the six advisories — CVE-2014-6277 and CVE-2014-6278.

Late yesterday, those details were finally released.

Here are the details as written on MITRE Corp.’s CVE site:

CVE-2014-6277: GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.

CVE-2014-6278: GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.

Security researcher Michal Zalewski, author of “The Tangled Web: A Guide to Securing Modern Web Applications,” wrote about the latest advisories in his blog. A fuzzer he set up “spewed out a crash” illustrated by this snippet of code:

HTTP_COOKIE='() { x() { _; }; x() { _; } <<a; }’ bash -c :

That is part of the flaw outlined in -6277. Zalewski wrote:

The actual fault happens because of an attempt to copy here_doc_eof to a newly-allocated buffer using a C macro that expands to the following code:
strcpy(xmalloc(1 + strlen(redirect->here_doc_eof)), (redirect->here_doc_eof))

This appears to be exploitable in at least one way: if here_doc_eof is chosen by the attacker to point in the vicinity of the current stack pointer, the apparent contents of the string – and therefore its length – may change between stack-based calls to xmalloc() and strcpy() as a natural consequence of an attempt to pass parameters and create local variables. Such a mid-macro switch will result in an out-of-bounds write to the newly-allocated memory.

The fuzzer kept going, and, few hours later, isolated a test case that, after minimization, yielded code outlined in -6278. Zalewski wrote:

A sequence of nested $… statements within a redirect appears to cause the parser to bail out without properly resetting its state, and puts it in the mood for executing whatever comes next. The test case works as-is with bash 4.2 and 4.3, but not with more ancient releases; this is probably related to changes introduced few years ago in bash 4.2 patch level 12 (xparse_dolparen()), but I have not investigated if earlier versions are patently not vulnerable or simply require different syntax.

The CVE-2014-6278 payload allows straightforward “put-your-commands-here” remote code execution on systems that are protected only with the original patch – something that we were worried about for a while, and what prompted us to ask people to update again over the past few days.

Via:: Shellshock CVE-2014-6277 and CVE-2014-6278 Details Released

      

0