cygwin bash and Shellshock / CVE-2014-6271 & CVE-2014-7169

Eric Blake eblake@redhat.com
Fri Sep 26 20:52:00 GMT 2014


On 09/26/2014 01:33 PM, Richard DeFuria wrote:
> Hello,
> 
> I downloaded the latest setup and installed the latest packages on my Win8.1
> x64 box.
> 
> It seems as though my cygwin bash shell has been patched against
> CVE-2014-6271 as per:
> 	$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> 	bash: warning: x: ignoring function definition attempt
> 	bash: error importing function definition for `x'
> 	this is a test
> 
> However, it is still susceptible to CVE-2014-7169 as per:
> 	$ env X='() { (a)=>\' sh -c "echo date"; cat echo
> 	sh: X: line 1: syntax error near unexpected token `='
> 	sh: X: line 1: `'
> 	sh: error importing function definition for `X'
> 	Fri, Sep 26, 2014  3:23:15 PM
> 
> That is, the 'original' Shellshock vulnerability is fixed, but not the 'new'
> Shellshock vulnerability.
> 
> Is this correct?

Correct.  Patience please; I'm still in the middle of testing my
4.1.13-6 build, but it WILL be out today, as I already promised:
https://cygwin.com/ml/cygwin/2014-09/msg00400.html

Furthermore, while there are already known exploits in the wild for
CVE-2014-6271, we have not yet seen as much effort to exploit
CVE-2014-7169, CVE-2014-7186, and CVE-2014-7187; meanwhile, these latter
three are a lot less damaging than the first in terms of severity.
Please read
https://securityblog.redhat.com/2014/09/26/frequently-asked-questions-about-the-shellshock-bash-flaws/;
my delay in patching Cygwin is for the same reason Red Hat delayed in
the second half of patching their products - I want to make sure that
the fixed version on bash will be immune to ALL parser bugs (whereas the
upstream patch 4.1.13 only patched CVE-2014-7169, my build will solve
all three CVE).  If upstream later releases 4.1.14, you can be assured
that I will once again rebuild bash with that fix.

By the way, I have NOT yet seen anyone trying to exploit CVE-2014-7186;
but you can do a fairly easy denial of service, or feasibly cause a
heap-smashing attack for arbitrary code execution, merely by nesting
enough heredocs into a single function definition, on a version of bash
that uses only the upstream patches (the flaw that upstream has is that
it even parses normal environment variables as functions in the first
place); the fix that I'm applying, as a copy from Red Hat, moves
functions into a different namespace so that normal environment
variables CANNOT be parsed as functions, and thus bugs in the parser
(which may still well exist, as evidenced by CVE-2014-7186) at least
won't be exploitable by remote attackers.

-- 
Eric Blake   eblake redhat com    +1-919-301-3266
Libvirt virtualization library http://libvirt.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 539 bytes
Desc: OpenPGP digital signature
URL: <http://cygwin.com/pipermail/cygwin/attachments/20140926/26a85ab2/attachment.sig>


More information about the Cygwin mailing list