Ubuntu
bash package

Shell Command Injection with the hostname

Bug #1507025 reported by Bernd Dietzel
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
bash (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

If the HOSTNAME of the pc contains a shell command ,
the command will run every time you start a terminal, tty or xterm.

The command will also executed every time when you type in some command.
If you for example change the directory , it will run again.

Exploit Demo :

1) edit "/etc/hosts" to this :

127.0.0.1 localhost
127.0.1.1 `ls>bug`

2) edit "/etc/hostname" to this :

`ls>bug`

3) reboot

4) start a terminal

5) Now a file with the name "bug" will in your home folder !

6) Change the directory to Downloads with "cd Downloads/"

7) Now a file with the name "bug" is in your Downloads !

8) Remove the file with "rm bug"

9) The file "bug" is still there !

Have a look on the screenshot i have attached.

Solution:
The hostname should be checked if there are shell commands inside !!

By the way :
The hostname is not always in the hands of the root.
Some people rent "vservers" and the hostname is in the hands of the isp.

ProblemType: Bug
DistroRelease: Ubuntu 15.10
Package: bash 4.3-14ubuntu1
ProcVersionSignature: Ubuntu 4.2.0-15.18-generic 4.2.3
Uname: Linux 4.2.0-15-generic x86_64
ApportVersion: 2.19.1-0ubuntu2
Architecture: amd64
CurrentDesktop: Unity
Date: Fri Oct 16 22:31:46 2015
InstallationDate: Installed on 2015-10-09 (6 days ago)
InstallationMedia: Ubuntu 15.10 "Wily Werewolf" - Alpha amd64 (20151009)
SourcePackage: bash
UpgradeStatus: No upgrade log present (probably fresh install)

CVE References

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :
Bernd Dietzel (l-ubuntuone1104)
information type: Private Security → Public Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

I can't imagine the effort involved in hardening all applications to treat the hostname as untrusted input.

ISPs that sell vservers are really no different from Intel or AMD or whoever makes your CPU -- you trust them completely and totally with your data, your executables, and your entire operating environment. They can inject anything they wish into your system's memory whenever they wish.

Making sure the dhcp clients don't allow setting these kinds of hostnames however, that might be a good idea. Enforcing the usual dns guidelines of a-zA-Z0-9-_ might be worthwhile..

Thanks

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

I agree,
i think the hostname should be in the hands of the kernel only.
Should not be overwritten by /etc/hostname.sh.

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

typo ... the path is
/etc/init.d/hostname.sh

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

german demo video
https://www.youtube.com/watch?v=qYuVzHsklS8

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

Patch :

HOSTNAME=${HOSTNAME//[^A-Za-z0-9-_]/_}

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

Thats better ... (the "-" was wrong in my previous posting )

HOSTNAME="${HOSTNAME//[^A-Za-z0-9_\-]/x}"

i attached a modified hostname.sh wich uses bash.

it can be startet manualy with

sudo /etc/init.d/hostname.sh start

The command should somehow run at startup ... but does not by default ?

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

Workaround ...
to make my modified "hostname.sh" script run at startup, i changed the file /etc/rc.local

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

/etc/init.d/hostname.sh start

exit 0

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

#! /bin/sh
# run this as root early in the boot order. No other script like hostname.sh should run later
HOSTNAME="$(hostname|sed 's/[^A-Za-z0-9_\-\.]/x/g')";hostname "$HOSTNAME"

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

script

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I'm not sure what the attack vector here is. /etc/hostname is only writeable by root.

Is there any way for an attacker to control /etc/hostname?

Revision history for this message
Bernd Dietzel (l-ubuntuone1104) wrote :

@Marc
Yes , if some application has a bug , for example MintNanny :
https://bugs.launchpad.net/linuxmint/+bug/1460835

Revision history for this message
Tyler Hicks (tyhicks) wrote :

This issue was assigned CVE-2016-0634. See the oss-security notice here:

  http://openwall.com/lists/oss-security/2016/09/16/8

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bash - 4.3-15ubuntu1.1

---------------
bash (4.3-15ubuntu1.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025)
    - debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c.
    - CVE-2016-0634
  * SECURITY UPDATE: code execution via crafted SHELLOPTS and PS4
    (LP: #1689304)
    - debian/patches/bash43-048.diff: check for root in variables.c.
    - CVE-2016-7543
  * SECURITY UPDATE: restricted shell bypass via use-after-free
    - debian/patches/bash44-006.diff: check for negative offsets in
      builtins/pushd.def.
    - CVE-2016-9401

 -- Marc Deslauriers <email address hidden> Tue, 16 May 2017 07:44:56 -0400

Changed in bash (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bash - 4.3-7ubuntu1.7

---------------
bash (4.3-7ubuntu1.7) trusty-security; urgency=medium

  * SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025)
    - debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c.
    - CVE-2016-0634
  * SECURITY UPDATE: code execution via crafted SHELLOPTS and PS4
    (LP: #1689304)
    - debian/patches/bash43-048.diff: check for root in variables.c.
    - CVE-2016-7543
  * SECURITY UPDATE: restricted shell bypass via use-after-free
    - debian/patches/bash44-006.diff: check for negative offsets in
      builtins/pushd.def.
    - CVE-2016-9401

 -- Marc Deslauriers <email address hidden> Tue, 16 May 2017 07:52:48 -0400

Changed in bash (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package bash - 4.3-14ubuntu1.2

---------------
bash (4.3-14ubuntu1.2) xenial-security; urgency=medium

  * SECURITY UPDATE: word expansions on the prompt strings (LP: #1507025)
    - debian/patches/bash43-047.diff: add quoting to parse.y, y.tab.c.
    - CVE-2016-0634
  * SECURITY UPDATE: code execution via crafted SHELLOPTS and PS4
    (LP: #1689304)
    - debian/patches/bash43-048.diff: check for root in variables.c.
    - CVE-2016-7543
  * SECURITY UPDATE: restricted shell bypass via use-after-free
    - debian/patches/bash44-006.diff: check for negative offsets in
      builtins/pushd.def.
    - CVE-2016-9401

 -- Marc Deslauriers <email address hidden> Tue, 16 May 2017 07:51:45 -0400

Changed in bash (Ubuntu):
status: New → Fix Released
Revision history for this message
Alex Murray (alexmurray) wrote :

Even our oldest supported (as extended security maintenance) release Ubuntu 12.04 had bash 4.2 (https://launchpad.net/ubuntu/+source/bash) - so whether this affects bash 3.2.57 is not relevant to Ubuntu anymore.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.