1 |
Apologies for conflating the Wireshark related "bug / broken package / |
2 |
attack" comment with the bash issue. |
3 |
|
4 |
Good luck resolving the issues. |
5 |
|
6 |
-----Original Message----- |
7 |
From: Miroslav Rovis [mailto:miro.rovis@××××××××××××××.hr] |
8 |
Sent: Sunday, May 07, 2017 09:42 |
9 |
To: gentoo-user@l.g.o |
10 |
Subject: Re: [gentoo-user] Inconsistent behavior in my Gentoo OS instance |
11 |
|
12 |
On 170505-22:40-0400, Bobby Kent wrote: |
13 |
> Looks like there are two things that concern you. Firstly, how bash |
14 |
> tab expansion appears to work (the ls, etc. commands executed when you |
15 |
> hit the tab key) on your system. Secondly, the "bash: unexpected EOF |
16 |
> while looking for matching `)'bash: syntax error: unexpected end of |
17 |
> file" messages generated when a particular tab expansion fails. |
18 |
> |
19 |
> Is that second issue generated by hitting tab at the end of the command: |
20 |
> |
21 |
> ls -1d root_170430_g0n*.d |
22 |
> |
23 |
> ? If so, perhaps there's something unusual with the items that match |
24 |
> the pattern "root_170430_g0n*.d*" that results in the error ... |
25 |
Well then there should have been somthing unusual with a plain rsync command |
26 |
and simple direcories in the link that I gave in other email, as I said in |
27 |
the mail to which the above is your reply, and which you quoted further |
28 |
below... |
29 |
|
30 |
> Regarding your diagnosis: |
31 |
> |
32 |
> > That's a serious bug or a serious malfunction in my Gentoo, the |
33 |
> > latter being most likely... |
34 |
> > |
35 |
> > And if it is the latter, it can only be one or the other way. |
36 |
> > One: the cause is in some Gentoo packge. |
37 |
> > Two: it is an attack by some unknown means. |
38 |
> |
39 |
> Before declaring |
40 |
|
41 |
But the whole paragraph originally, in the top of the thread (construing |
42 |
citation): |
43 |
|
44 |
> > Wireshark! Look at that! That's not a shadow. That's a serious bug |
45 |
> > or a serious malfunction in my Gentoo, the latter being most likely... |
46 |
|
47 |
And also in the abridged email it is under: |
48 |
|
49 |
> > Second issue |
50 |
> > ============ |
51 |
|
52 |
So it refers to Wireshark only :) |
53 |
|
54 |
So pls. note that the above is not declaring it such about Bash... |
55 |
|
56 |
But I didn't modified the Bash completion. And esp. I would never modify it |
57 |
to be sed'ing and awk'ing on my /etc/ssh/ssh_config. ;-) |
58 |
|
59 |
... So the above *could* apply to Bash, if I had (which I didn't) written it |
60 |
about Bash, but I would only word it to the level of suspicion. And |
61 |
suspicion it remains... |
62 |
|
63 |
> bug / broken package / attack, it might be an idea to see whether the |
64 |
> issue is reproducible, and under what circumstances. |
65 |
> |
66 |
> Note, tab expansion can be modified (see, for example, |
67 |
> http://www.linuxjournal.com/content/more-using-bash-complete-command). |
68 |
|
69 |
Which is a great link! Thanks! But again, while it could be some monkeys |
70 |
from space (of that kind of monkeys that write Bibles and so invent God[2], |
71 |
but these might be extraterrestrial monkeys, and maybe invisible, that can |
72 |
reach with their hands into computers without anybody realizing...). |
73 |
|
74 |
Oh, sorry for my irony. But this must have been something/someone with a |
75 |
purpose, that the purpose had been a prank/denial/subversion/<other>... |
76 |
There is no event that can materialize out of nothing and without a cause, |
77 |
else physics and logic go to dusbin. And the event was pretty complex in |
78 |
this case. See below for the links to the script in action that I sent in |
79 |
the other email. |
80 |
|
81 |
And nobody expected that script to come to the fore. Thanks to Mr Linux[3], |
82 |
grsecurity in not widespread, and not so well known, and not even the |
83 |
shadows are familiar with all of its features. That script (in its action, I |
84 |
don't know where it resided in my machine[4]) only came to the fore because |
85 |
of the exec_logging feature of grsecurity-hardened kernel. |
86 |
|
87 |
Only because I had exec_logging turned on in my grsecurity-hardened kernel, |
88 |
I was able to show you the undeniable fact of what was executed at my |
89 |
hitting the Tab at that particular five or so seconds period of time in my |
90 |
real life. |
91 |
|
92 |
I need to remind the readers here that Bobby maybe refers here to what I |
93 |
gave in the other email, as I said I would (but the top posting that he |
94 |
uses, along with my peculiar slow and clumsy style, makes it a bit of a |
95 |
mess, sorry!). For my reference, see my quoted email further below, which I |
96 |
otherwise cut shorter. |
97 |
|
98 |
And from that other email I'm construing the links that I gave as if it was |
99 |
a reply, except for the links, I want them in the clear: |
100 |
> > Strange script planted with Bash |
101 |
https://www.croatiafidelis.hr/foss/cap/cap-170504-strange-bash/ |
102 |
|
103 |
> > should make for some thinking... |
104 |
|
105 |
> > It's in the logs |
106 |
> > ( |
107 |
https://www.croatiafidelis.hr/foss/cap/cap-170504-strange-bash/messages_1705 |
108 |
04_2155_g0n |
109 |
> > [link is at bottom of page, under "messages_170504_2155_g0n"] ). |
110 |
It has complicated further. On top of lots of time spent in analysis of my |
111 |
systems, I have had much difficulty connecting to the internet since I sent |
112 |
and posted on grsecurity.net and sent my messages to gentoo-user some two |
113 |
days ago... |
114 |
|
115 |
E.g. this morning, the connection was abruptly cut after only some five |
116 |
minutes. I was only able to receive new email and check a few links in |
117 |
regard to which I hope replies will have shown up soon from now, but wasn't |
118 |
even able to see the grsecurity.net topic about this issue that I opened two |
119 |
days ago... and I don't even know if I received any replies |
120 |
there: |
121 |
( Tab (no exec) triggers script on Bash on grsec admin |
122 |
https://forums.grsecurity.net/viewtopic.php?f=3&t=4700 ) ... |
123 |
And I don't know if I will be able to... |
124 |
|
125 |
First dhcpcd would crash on any attempt to run a bridge which I have run |
126 |
without any issues for months now, witness all the pages and screencasts and |
127 |
PCAPs at https://www.croatiafidelis.hr/foss/cap/ |
128 |
( |
129 |
select by the timestamp, the later the better; I even got a really nice note |
130 |
of appreciation from Devuan devs when my analysis helped them to fix a |
131 |
trivial but urgent network issue on 2017-04-23 which timestamp I shorten to |
132 |
170423 and so the link is: |
133 |
BAD sig on Devuan ISO |
134 |
https://www.croatiafidelis.hr/foss/cap/cap-170423-devuan-iso-sig/ |
135 |
)... |
136 |
|
137 |
And since this morning even plain one only ether device connection failed |
138 |
without any segfaults to anything or any " denied " errors... (the bridge |
139 |
would always get segfaults for dhcpcd). |
140 |
|
141 |
Back to the script seen in its action only. I spent hours trying to figure |
142 |
out what the lines of the script that does that should look like, but more |
143 |
hours I would need to be able to reconstruct any. I saw those entries in awk |
144 |
and I know sed that well, but it's more skills needed to reconstruct that |
145 |
script... and to hopefully locate it in the system partition dump. |
146 |
|
147 |
Thanks if anybody is able to better analyze those (and maybe help locate |
148 |
it). So that it be quicker at hand, I attach a gzip'ed archive of |
149 |
https://www.croatiafidelis.hr/foss/cap/cap-170504-strange-bash/messages_1705 |
150 |
04_2155_g0n |
151 |
messages_170504_2155_g0n.gz |
152 |
to this email as well (it's just over 1K). |
153 |
|
154 |
But I strongly believed it was a potential risk to keep running that system, |
155 |
and what I did is, while completely offline, I thoroughly checked the frozen |
156 |
clone and also the Air-Gapped (which only has the Wireshark inconsistency, |
157 |
and never had this Tab-triggers-Bash-script in (grsecurity RBAC) role |
158 |
admin). |
159 |
|
160 |
And then I updated my Air-Gapped and cloned my for-online system from it. In |
161 |
this system, [stop...] Haha! actually *only* in the software of this system, |
162 |
there are no traces that would indicate any Tab-triggers-a-script behavior, |
163 |
but I certainly don't know if anything was planted in my hardware... It's |
164 |
not Open Hardware,[5] so even if I knew how to check firware and stuff, I |
165 |
couldn't check much of it, let alone all of it... |
166 |
|
167 |
> -----Original Message----- |
168 |
> From: Miroslav Rovis [mailto:miro.rovis@××××××××××××××.hr] |
169 |
> Sent: Friday, May 05, 2017 01:02 |
170 |
> To: gentoo-user@l.g.o |
171 |
> Subject: Re: [gentoo-user] Inconsistent behavior in my Gentoo OS |
172 |
> instance |
173 |
> |
174 |
> Hi Bobby! |
175 |
> |
176 |
> Pls. see also: |
177 |
> |
178 |
> Tab (no exec) triggers script on Bash on grsec admin |
179 |
> https://forums.grsecurity.net/viewtopic.php?f=3&t=4700 |
180 |
> |
181 |
> as well as the other email that I sent some 7 or so hours ago. |
182 |
> |
183 |
> NOTE: if I'm away, it's because I'm a little worried... I'm afraid my |
184 |
> system may be vulnerable because of these issues. Patience pls. |
185 |
> |
186 |
> (no more but only my sig in bottom) |
187 |
> |
188 |
> On 170504-21:15-0400, Bobby Kent wrote: |
189 |
> > Hi Miroslav, |
190 |
> > |
191 |
> > Attempting to reproduce third issue: |
192 |
> > |
193 |
> > # mkdir wibble1_1 |
194 |
> > # mkdir wibble2_1 |
195 |
> > # mkdir wibble3_1 |
196 |
> > # mkdir wibble4_1 |
197 |
> > # mkdir wibble5_1 |
198 |
> > # for d in wibble*_1 ; do mkdir $d/wobble ; done # ls -1d wibble*_1 |
199 |
> > wibble1_1 |
200 |
> > wibble2_1 |
201 |
> > wibble3_1 |
202 |
> > wibble4_1 |
203 |
> > wibble5_1 |
204 |
> > |
205 |
> > Then hit tab after positioning cursor after the / below: |
206 |
> > # for i in $(ls -1d wibble*_1/) ; do echo $i ; done |
207 |
> > |
208 |
> > And the results are an attempt to autocomplete: |
209 |
> > wibble1_1// wibble2_1// wibble3_1// wibble4_1// wibble5_1// |
210 |
> > |
211 |
> > Perhaps the test oversimplified the issue, though maybe you could |
212 |
> > provide the simplest way to reproduce what you see. |
213 |
> > |
214 |
> > Thanks. |
215 |
I do get this normal behavior that you explain above in my Air-Gapped. |
216 |
And generally in my cloned system. The erratic behavior that I caught a |
217 |
revealing glimse of was only ever happening in my clone that goes online. |
218 |
|
219 |
> > -----Original Message----- |
220 |
> > From: Miroslav Rovis [mailto:miro.rovis@××××××××××××××.hr] |
221 |
> > Sent: Tuesday, May 02, 2017 10:13 |
222 |
> > To: gentoo-user@l.g.o |
223 |
> > Subject: Re: [gentoo-user] Inconsistent behavior in my Gentoo OS |
224 |
> > instance |
225 |
... |
226 |
> > |
227 |
> > Third issue |
228 |
> > ========== |
229 |
... |
230 |
> > > [[ |
231 |
> > > NOTE (before delayed sending): In fact, it is only this clone that |
232 |
> > > exibits the above Bash malfunctioning. I just checked the same for |
233 |
> > > loop command (some six paragraphs above) in my Air-Gapped master |
234 |
> > > [1] (never any internet it sees, |
235 |
> > The [1] is important for understanding, especially this Bash issue |
236 |
> > in my Gentoo instance. |
237 |
> > Because in my Air-Gapped Gentoo instance that issue does not show at |
238 |
all. |
239 |
Pls. also note the line just above. It is a strong indication, by science of |
240 |
probability. Any real serious issues that I have had in years, most often |
241 |
showed in the clone, but never in my Air-Gapped. Only the Wireshark issue |
242 |
that I have makes for a singular exception... And that is why I first |
243 |
thought, and wrote so, that I needed to rebuild my system... I still do, but |
244 |
and Air-Gap rebuild is a longer time exercize... |
245 |
|
246 |
And finally, my suspicion is still not a declaration of anything. |
247 |
|
248 |
E.g. it was nice to find out what the reason was for the eix issue (the |
249 |
"Fourth issue") from Marting Vaeth's reply, and I am sending in parallel |
250 |
with this one another email to confirm on it, as that was a normal bug, and |
251 |
also as it has been fixed in the meantime. |
252 |
|
253 |
Who knows, maybe there is a rational explanation for that completion |
254 |
triggering and sed'ing on /etc/ssh/ssh_config ... without monkeys from space |
255 |
and without attacks by shadows or very badly broken packages... |
256 |
|
257 |
Do show me if this is something in-the-ordinary, anybody, if you can! |
258 |
|
259 |
... |
260 |
> > > --- |
261 |
> > > [1] My methods are still these: |
262 |
> > > Air-Gapped Gentoo Install, Tentative |
263 |
> > > https://forums.gentoo.org/viewtopic-t-987268.html |
264 |
> > > |
265 |
> > > and |
266 |
> > > |
267 |
> > > Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion |
268 |
> > > https://forums.gentoo.org/viewtopic-t-999436.html#7613044 |
269 |
> > > |
270 |
|
271 |
--- |
272 |
[2] There was an experiment by the evolutionists who gave computers to |
273 |
monkeys, convinced that they would eventually, after be it a huge |
274 |
number of tries, start typing some sensible input into those and end |
275 |
up writing some, that those be trivial, messages of some kind, or at |
276 |
least some text that makes some sense whatsoever... Namely, they |
277 |
believe that humans came out of monkeys, during long periods of |
278 |
history... Alas, didn't happen... Only excrements on those |
279 |
keyboards and monitors, and ruined equipment... There wasn't any |
280 |
kind of text that makes any kind of sense whatsoever. Sorry but I |
281 |
lost the source for this... |
282 |
|
283 |
[3] Developer Raps Linux security |
284 |
http://www.crmbuyer.com/story/39565.html |
285 |
|
286 |
[4] I will keep the frozen system for weeks from now. dd dumped as by |
287 |
the ...Bkp/Cloning Mthd... link given some 12 lines above. In case |
288 |
there would be something to find in there... |
289 |
|
290 |
[5] Use old amd64 gentoo image on new amd64 hardware, possible? |
291 |
https://forums.gentoo.org/viewtopic-t-940916.html |
292 |
(the newer of the two systems, the Extreme4 MBO) |
293 |
|
294 |
Regards! |
295 |
-- |
296 |
Miroslav Rovis |
297 |
Zagreb, Croatia |
298 |
https://www.CroatiaFidelis.hr |