Wednesday, October 1, 2014

And the bash goes on again: 4.3.28

bash 4.3.28 is now available, fixing CVE-2014-7186 and CVE-2014-7187, and this should repair all the known outstanding problems. Since everyone is linking to the original post, I have updated it with the new self-tests and instructions.

Monday, September 29, 2014

Sunday, September 28, 2014

Ars goes back to the future

Ars Technica subjected Andrew Cunningham to getting his work done on an 800MHz TiBook (in OS 9 and in 10.5). Admittedly, I, too, would find an 800MHz TiBook a bit trying, though I would not have installed Leopard on it. My slowest daily driver is the 1GHz iMac G4 and even that doesn't do much more than basic browsing. My 12" iBook G4/1.33 is about the slowest I'd like to be using for typical work. Fortunately, the quad still acquits itself very well!

Thursday, September 25, 2014

Bashing bash one more time: updated universal 4.3.26^W4.3.27^W4.3.28 covering all known bash flaws

UPDATE THE SECOND: It's a bug bash! Updated to 4.3.28 below with more fixes for two more internal vulnerabilities (CVE-2014-7186 and -7187). Hopefully this should be the last one for awhile. Just overlay it over your old copy of 4.3.2x.

UPDATE: bash just keeps on giving. Updated to 4.3.27 below with more steps to repair this vulnerability. Just overlay it over your old copy of 4.3.26.

See the previous entry, but in short, bash has been shown to have a pretty nasty little vulnerability that causes it to inadvertently execute shell commands in the environment you pass it. This attack does work on Power Macs because most shell commands are cross-platform, and appears to exist on all versions of OS X.

The solution is easy: build a new bash from the newly patched source code. As a service to you, I have done so, and compiled it for PowerPC and Intel so it will also work for users on 10.6 who are not receiving updates either. See above The version earlier today had a preliminary version of the patch which does not fix a second variant vulnerability. This version does. If you used one of the "build from source" tricks that were circulating earlier today (MacRumors, etc.), your version does NOT have this second issue patched. Either wait for the public source trees to update and rebuild it (likely early tomorrow), or use this one.

The bash these steps will install works on 10.4 all the way to 10.9 on 32-bit Intel, 64-bit Intel and PowerPC. It requires no other dependencies. The idea is to replace your system bash -- yes, you can use Homebrew, Tigerbrew, MacPorts, etc., to get an updated copy, but your built-in bash is still vulnerable unless you replace it. This is designed to accomplish that. WARNING AGAIN: If you are not comfortable with the Terminal, get someone to help you!

  1. In a Terminal.app window, verify that you have a vulnerable system so that you can see what that looks like (the command is all one line):

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

    It should print

    vulnerable
    this is a test

  2. Check the second vulnerability. This creates a file called echo with the date in it, if your system is vulnerable:

    env X='() { (a)=>\' sh -c "echo date"; cat echo

    It should print something like (the messages and of course the time will vary):

    bash: X: line 1: syntax error near unexpected token `='
    bash: X: line 1: `'
    bash: error importing function definition for `X'
    Thu Sep 25 22:12:49 PDT 2014

    (Delete the file it makes before you continue! rm echo)

  3. Check the third vulnerability.

    env foo='() { echo not patched; }' bash -c foo

    It should print

    not patched

  4. NEW: Check the fourth vulnerability.

    bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "vulnerable"

    It should print (the exact number of lines may vary):

    bash: line 1: warning: here-document at line 1 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 1 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 1 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 1 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 1 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 1 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 1 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 1 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 1 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 1 delimited by end-of-file (wanted `EOF')
    Bus error
    vulnerable

  5. NEW: Check the fifth vulnerability.

    bash -c '( for x in {1..200} ; do echo "for x$x in ; do :" ; done ; for x in {1..200} ; do echo done ; done )' | bash || echo "vulnerable"

    It should print (the exact number may vary):

    bash: line 129: syntax error near `x129'
    bash: line 129: `for x129 in ; do :'
    vulnerable

  6. This has now been patched to 4.3.28. This has now been patched to 4.3.27. Download the patched bash 4.3.26. Put it in your home directory. If necessary, double-click to decompress it so that you have a file in your home directory called bash-4.3.28-10.4u.

  7. Close all terminal windows and programs just to make sure you won't stomp on bash while a program is trying to call it. Start Terminal and have exactly one window open.

  8. In that terminal window:

    • exec tcsh
    • chmod +x bash-4.3.28-10.4u

      If you replaced /bin/bash (and/or /bin/sh) with any earlier version of these patched bashes, DO NOT DO THE NEXT TWO COMMANDS. If you have never replaced them, go ahead; these will put the old ones in a safe place, just in case.

    • sudo mv /bin/bash /bin/bash_old (enter your password)
    • sudo mv /bin/sh /bin/sh_old (enter your password if needed)

      Everybody does these:

    • sudo cp bash-4.3.28-10.4u /bin/bash (enter your password if needed)
    • sudo cp bash-4.3.28-10.4u /bin/sh (enter your password if needed)

  9. Test it stuck by trying the statements again:

    env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

    It should print

    this is a test

    Now, try the second one:

    env X='() { (a)=>\' sh -c "echo date"; cat echo

    It should print

    date
    cat: echo: No such file or directory

    If this test appears to fail, make sure that you delete the file echo (rm echo) first, and test it again.

    Now, try the third one:

    env foo='() { echo not patched; }' bash -c foo

    It should print

    bash: foo: command not found

    Now, try the fourth one:

    bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "vulnerable"

    It should print (there should be exactly 14 lines, one for each <<EOF):

    bash: line 1: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')
    bash: line 1: warning: here-document at line 0 delimited by end-of-file (wanted `EOF')

    Now, try the fifth one:

    bash -c '( for x in {1..200} ; do echo "for x$x in ; do :" ; done ; for x in {1..200} ; do echo done ; done )' | bash || echo "vulnerable"

    Nothing will appear. However, if you want a positive test, do the following:

    bash -c '( for x in {1..200} ; do echo "for x$x in ; do :" ; done ; for x in {1..200} ; do echo done ; done )' | bash && echo "not vulnerable"

    It should print:

    not vulnerable

  10. Restart your Mac as a paranoia to make sure everything is using the new copy of bash.

  11. Bask in the glow. Then, find a shell that doesn't suck.

Bashing bash: updated universal OS X bash available as a public service

UPDATE THE SECOND: People are unclear about what I mean by "incomplete." I mean, the existing patch for bash is not complete. Even for the list of commands floating around to build from source (seen on MacRumors and other sites, which requires Xcode), you won't be protected from the second variant of the attack. You'll have to wait for that final patch. Your call whether to continue with the below. Updated to fix /bin/sh as well.

UPDATE: Looks like the fix is incomplete; someone found a way around it. I'll post an update with the newer version when they decide on it, but you can fix the immediate bug now with the steps below.

I hate bash. I prefer tcsh. But Apple made it the default, and now bash has been shown to have a pretty nasty little vulnerability that causes it to inadvertently execute shell commands in the environment you pass it. This attack does work on Power Macs because most shell commands are cross-platform, and there will be no update for us. The vulnerability appears to exist on all versions of OS X.

I thought about this for awhile on how much of an attack surface we're exposing. Servers that might run shell scripts as CGIs would be very high risk, but if you're actually using a 10.4 or 10.5 machine as an externally facing web server you really need your head examined. Similarly, there's the possibility of getting privileged setuid scripts on a multiuser system owned, which again would be primarily an issue for servers.

The risk is less clear on single user workstations, the situation in which I imagine most Power Macs exist, which either run bash purely as a login shell or certain programs may call out to it to accomplish certain system tasks. Realistically, I don't see a large attack surface here, but clever little sneaks might find a way and besides, the solution is easy: build a new bash from the newly patched source code. As a service to you, I have done so, and compiled it for PowerPC and Intel so it will also work for users on 10.6 who are not receiving updates either.

The bash these steps will install works on 10.4 all the way to 10.9 on 32-bit Intel, 64-bit Intel and PowerPC. It requires no other dependencies. The idea is to replace your system bash -- yes, you can use Homebrew, Tigerbrew, MacPorts, etc., to get an updated bash, but your built-in bash is still vulnerable unless you replace it. This is designed to accomplish that.

  • WARNING: The following steps assume you know how to use Terminal.app and some basic Unix commands. If you don't, get help.

    1. In a Terminal.app window, verify that you have a vulnerable system so that you can see what that looks like (the command is all one line):

      env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

      It should print

      vulnerable
      this is a test

    2. This has been superseded Download the patched bash 4.3.25. Put it in your home directory. If necessary, double-click to decompress it so that you have a file in your home directory called bash-4.3.25-10.4u.

    3. Close all terminal windows and programs just to make sure you won't stomp on bash while a program is trying to call it. Start Terminal and have exactly one window open.

    4. In that terminal window:

      • exec tcsh
      • chmod +x bash-4.3.25-10.4u
      • sudo mv /bin/bash /bin/bash_old (enter your password)
      • sudo cp bash-4.3.25-10.4u /bin/bash (enter your password if needed)
      • sudo mv /bin/sh /bin/sh_old (enter your password if needed)
      • sudo cp bash-4.3.25-10.4u /bin/sh (enter your password if needed)

    5. Test it stuck by trying the statement again:

      env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

      It should print

      bash: warning: x: ignoring function definition attempt
      bash: error importing function definition for `x'
      this is a test

    6. Restart your Mac as a paranoia to make sure everything is using the new copy of bash.

    7. Bask in the glow. Then, find a shell that doesn't suck.

  • Wednesday, September 24, 2014

    What the security issue was all about

    Mozilla has released 32.0.3 and the official advisory, so now we can talk about it. What got fixed in 31.1.1 is a flaw in verifying signatures of RSA certificates, most importantly such as those used to confirm the identity of secure sites. By exploiting this bug the proof of concept caused Firefox to accept a forged certificate, which facilitates information stealing and man-in-the-middle attacks. The forgery is an interesting variant of a well-understood older attack vector called the Bleichenbacher attack, named after the crytographer who discovered it, or more colourfully the "million message attack," itself a specific form of an adaptive chosen-ciphertext attack. Through a combination of flaws, a clever attacker could synthesize a completely bogus "valid" certificate in a relatively small amount of computing time and use it to impersonate victim servers to steal credentials and data.

    The general type of flaw suggests other crypto libraries may be vulnerable to this specific problem or a related form of it. That said, this problem has existed in Mozilla code since at least 2006; earlier versions don't use the same ASN.1 parsing code, but almost certainly have other problems related to certificate verification. You are strongly advised to update, because the relative ease with which a certificate can be forged will put yourself at much greater risk in the near future if you don't (24.7.0 is vulnerable, as is every prior version of TenFourFox).

    31.1.1 available

    Downloads of 31.1.1 are available -- release notes are pending Firefox's release since the security information is embargoed. Please try them on your system. They will become live as soon as Mozilla does so for mainline Firefox and ESR. I'll have more information for you then.