www.zeroshell.org Forum Index www.zeroshell.org
Linux Distribution for server and embedded devices
 
 SearchSearch  RegisterRegister  UsergroupsUsergroups 
 ProfileProfile  Log inLog in  Log in to check your private messagesPrivate Message 

Bash Code Injection Vulnerability

 
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell
View previous topic :: View next topic  
Author Message
jvn



Joined: 17 Jun 2013
Posts: 10

PostPosted: Fri Sep 26, 2014 7:50 am    Post subject: Bash Code Injection Vulnerability Reply with quote

--- Edit ---
As Gordonf answer to me ZeroShell is unreachable from outside network and thus is not concerned by Bash code injection.

--- End Edit ---

Dear Fluvio,

A new security issue was published yesterday, this impacts all Linux version.
more details on https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

I checked my ZeroShell 3.0 installation with the following code:
Code:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"


Zeroshel is vulnerable... Sad

Please will/can you publish an update for this ?
The patch proposed is here : www.openwall.com/lists/oss-security/2014/09/25/10

Best regards,
Jean


Last edited by jvn on Mon Sep 29, 2014 1:16 pm; edited 1 time in total
Back to top
View user's profile Send private message
gordonf



Joined: 26 Feb 2012
Posts: 86

PostPosted: Fri Sep 26, 2014 1:02 pm    Post subject: How does someone exploit this on ZS? Reply with quote

I understand that only the Zeroshell administrator can introduce scripts to the default system, such as by editing the post-boot script. How does some random user that doesn't have access to the ZS console or admin pages exploit this vulnerability?
--
Back to top
View user's profile Send private message
jvn



Joined: 17 Jun 2013
Posts: 10

PostPosted: Fri Sep 26, 2014 2:28 pm    Post subject: Reply with quote

Hi,

i don't know if Zeroshell is concerned (I hope not).
But it can...

Did you look at this video from Symantec ?
https://www.youtube.com/watch?v=ArEOVHQu9nk

They explain how use it with cgi files if variables are used.
Back to top
View user's profile Send private message
gordonf



Joined: 26 Feb 2012
Posts: 86

PostPosted: Sat Sep 27, 2014 2:43 am    Post subject: Don't Panic Reply with quote

First off, I hate fearmongers. And Symantec makes its money by spreading fear. So let's get my strong bias out in the open.

Now let's see how a bash exploiter can exploit ZS:

* From the internet: The ZS UI by default restricts access to its web UI to private IP ranges. If you're foolish enough to override this default, there's the next problem:

* The admin credentials: To even see the UI CGI you need the admin password. If you have teenage kids behind your ZS router, you likely have a better password than 'password.' I hope.

* Malware on the inside network: That's assuming you administer ZS from an infected PC; if so, you have worse problems than malware exploiting your router. And I have a whole web series on preventing unwanted software, at least on Windows clients.

* Captive Portal or optional Squid Proxy: Isn't this built with hostile clients in mind? There are a handful of examples of blocking inbound SQL exploits that could apply to a Squid running on ZS that's caching outbound requests; block bash escape sequences like one would block SQL ones.

If you're a ZS admin who's really worried about this until Fulvio releases a fix, make sure the web UI is restricted to NICs and IP ranges you trust, and pick a strong admin password. If you use captive portal, add some URL filtering and you might even catch your own users exploiting outside hosts.

Above all, don't panic.
Back to top
View user's profile Send private message
jvn



Joined: 17 Jun 2013
Posts: 10

PostPosted: Mon Sep 29, 2014 1:00 pm    Post subject: Reply with quote

Hi gordonf,

Thank you for your detailed and clear answer.

I was too busy to update my other servers to think properly by myself...

So you're absolutely right, (my) ZeroShell is protected from outside and, so is out of reach of malicious person.

I'll edit my first message to avoid that people think that ZeroShell is compromised by this security hole.

Next time, i hope i'll use my brain...

Best regards,
Jean
Back to top
View user's profile Send private message
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1070

PostPosted: Wed Oct 01, 2014 3:30 am    Post subject: Reply with quote

Hi,
this bug of the Bash makes Zeroshell vulnerable so you should urgently install the release 3.2.0 that contains a patched version of the bash. Do not forget that also the captive portal login page can be exploited.

Regards
Fulvio
Back to top
View user's profile Send private message Send e-mail
gordonf



Joined: 26 Feb 2012
Posts: 86

PostPosted: Wed Oct 01, 2014 2:55 pm    Post subject: Can we panic now? (not really.) Reply with quote

What if you're not using captive portal though? Is the admin logon page vulnerable too?

I can see this being more of a problem for public hotspot hosts with lots of unknown clients, than at one's business or home network where the clients are known and managed.

I'm working on a OVA template for 3.2 now; all done. I note that this kernel has the vmxnet3 NIC driver as well (!)
--
Back to top
View user's profile Send private message
fulvio
Site Admin


Joined: 01 Nov 2006
Posts: 1070

PostPosted: Wed Oct 01, 2014 6:24 pm    Post subject: Reply with quote

Surely the admin page is vulnerable.
Regards
Fulvio
Back to top
View user's profile Send private message Send e-mail
jvn



Joined: 17 Jun 2013
Posts: 10

PostPosted: Thu Oct 02, 2014 11:12 am    Post subject: Reply with quote

Hi Fluvio,

Thanks for your update.

I think as Gondorf says that this security issue impacts only (my) internal network (we don't use captive portal, only admin website on LAN is vulenerable).

But i updated our system to be sure Smile
I took the opportunity to install the new version on the hard drive with installation manager Wink

Best regards,
Jean
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    www.zeroshell.org Forum Index -> ZeroShell All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group