| 1 |
Apologies for conflating the Wireshark related "bug / broken package / |
| 2 |
attack" comment with the bash issue. |
| 3 |
|
| 4 |
Good luck resolving the issues. |
| 5 |
|
| 6 |
-----Original Message----- |
| 7 |
From: Miroslav Rovis [mailto:miro.rovis@××××××××××××××.hr] |
| 8 |
Sent: Sunday, May 07, 2017 09:42 |
| 9 |
To: gentoo-user@l.g.o |
| 10 |
Subject: Re: [gentoo-user] Inconsistent behavior in my Gentoo OS instance |
| 11 |
|
| 12 |
On 170505-22:40-0400, Bobby Kent wrote: |
| 13 |
> Looks like there are two things that concern you. Firstly, how bash |
| 14 |
> tab expansion appears to work (the ls, etc. commands executed when you |
| 15 |
> hit the tab key) on your system. Secondly, the "bash: unexpected EOF |
| 16 |
> while looking for matching `)'bash: syntax error: unexpected end of |
| 17 |
> file" messages generated when a particular tab expansion fails. |
| 18 |
> |
| 19 |
> Is that second issue generated by hitting tab at the end of the command: |
| 20 |
> |
| 21 |
> ls -1d root_170430_g0n*.d |
| 22 |
> |
| 23 |
> ? If so, perhaps there's something unusual with the items that match |
| 24 |
> the pattern "root_170430_g0n*.d*" that results in the error ... |
| 25 |
Well then there should have been somthing unusual with a plain rsync command |
| 26 |
and simple direcories in the link that I gave in other email, as I said in |
| 27 |
the mail to which the above is your reply, and which you quoted further |
| 28 |
below... |
| 29 |
|
| 30 |
> Regarding your diagnosis: |
| 31 |
> |
| 32 |
> > That's a serious bug or a serious malfunction in my Gentoo, the |
| 33 |
> > latter being most likely... |
| 34 |
> > |
| 35 |
> > And if it is the latter, it can only be one or the other way. |
| 36 |
> > One: the cause is in some Gentoo packge. |
| 37 |
> > Two: it is an attack by some unknown means. |
| 38 |
> |
| 39 |
> Before declaring |
| 40 |
|
| 41 |
But the whole paragraph originally, in the top of the thread (construing |
| 42 |
citation): |
| 43 |
|
| 44 |
> > Wireshark! Look at that! That's not a shadow. That's a serious bug |
| 45 |
> > or a serious malfunction in my Gentoo, the latter being most likely... |
| 46 |
|
| 47 |
And also in the abridged email it is under: |
| 48 |
|
| 49 |
> > Second issue |
| 50 |
> > ============ |
| 51 |
|
| 52 |
So it refers to Wireshark only :) |
| 53 |
|
| 54 |
So pls. note that the above is not declaring it such about Bash... |
| 55 |
|
| 56 |
But I didn't modified the Bash completion. And esp. I would never modify it |
| 57 |
to be sed'ing and awk'ing on my /etc/ssh/ssh_config. ;-) |
| 58 |
|
| 59 |
... So the above *could* apply to Bash, if I had (which I didn't) written it |
| 60 |
about Bash, but I would only word it to the level of suspicion. And |
| 61 |
suspicion it remains... |
| 62 |
|
| 63 |
> bug / broken package / attack, it might be an idea to see whether the |
| 64 |
> issue is reproducible, and under what circumstances. |
| 65 |
> |
| 66 |
> Note, tab expansion can be modified (see, for example, |
| 67 |
> http://www.linuxjournal.com/content/more-using-bash-complete-command). |
| 68 |
|
| 69 |
Which is a great link! Thanks! But again, while it could be some monkeys |
| 70 |
from space (of that kind of monkeys that write Bibles and so invent God[2], |
| 71 |
but these might be extraterrestrial monkeys, and maybe invisible, that can |
| 72 |
reach with their hands into computers without anybody realizing...). |
| 73 |
|
| 74 |
Oh, sorry for my irony. But this must have been something/someone with a |
| 75 |
purpose, that the purpose had been a prank/denial/subversion/<other>... |
| 76 |
There is no event that can materialize out of nothing and without a cause, |
| 77 |
else physics and logic go to dusbin. And the event was pretty complex in |
| 78 |
this case. See below for the links to the script in action that I sent in |
| 79 |
the other email. |
| 80 |
|
| 81 |
And nobody expected that script to come to the fore. Thanks to Mr Linux[3], |
| 82 |
grsecurity in not widespread, and not so well known, and not even the |
| 83 |
shadows are familiar with all of its features. That script (in its action, I |
| 84 |
don't know where it resided in my machine[4]) only came to the fore because |
| 85 |
of the exec_logging feature of grsecurity-hardened kernel. |
| 86 |
|
| 87 |
Only because I had exec_logging turned on in my grsecurity-hardened kernel, |
| 88 |
I was able to show you the undeniable fact of what was executed at my |
| 89 |
hitting the Tab at that particular five or so seconds period of time in my |
| 90 |
real life. |
| 91 |
|
| 92 |
I need to remind the readers here that Bobby maybe refers here to what I |
| 93 |
gave in the other email, as I said I would (but the top posting that he |
| 94 |
uses, along with my peculiar slow and clumsy style, makes it a bit of a |
| 95 |
mess, sorry!). For my reference, see my quoted email further below, which I |
| 96 |
otherwise cut shorter. |
| 97 |
|
| 98 |
And from that other email I'm construing the links that I gave as if it was |
| 99 |
a reply, except for the links, I want them in the clear: |
| 100 |
> > Strange script planted with Bash |
| 101 |
https://www.croatiafidelis.hr/foss/cap/cap-170504-strange-bash/ |
| 102 |
|
| 103 |
> > should make for some thinking... |
| 104 |
|
| 105 |
> > It's in the logs |
| 106 |
> > ( |
| 107 |
https://www.croatiafidelis.hr/foss/cap/cap-170504-strange-bash/messages_1705 |
| 108 |
04_2155_g0n |
| 109 |
> > [link is at bottom of page, under "messages_170504_2155_g0n"] ). |
| 110 |
It has complicated further. On top of lots of time spent in analysis of my |
| 111 |
systems, I have had much difficulty connecting to the internet since I sent |
| 112 |
and posted on grsecurity.net and sent my messages to gentoo-user some two |
| 113 |
days ago... |
| 114 |
|
| 115 |
E.g. this morning, the connection was abruptly cut after only some five |
| 116 |
minutes. I was only able to receive new email and check a few links in |
| 117 |
regard to which I hope replies will have shown up soon from now, but wasn't |
| 118 |
even able to see the grsecurity.net topic about this issue that I opened two |
| 119 |
days ago... and I don't even know if I received any replies |
| 120 |
there: |
| 121 |
( Tab (no exec) triggers script on Bash on grsec admin |
| 122 |
https://forums.grsecurity.net/viewtopic.php?f=3&t=4700 ) ... |
| 123 |
And I don't know if I will be able to... |
| 124 |
|
| 125 |
First dhcpcd would crash on any attempt to run a bridge which I have run |
| 126 |
without any issues for months now, witness all the pages and screencasts and |
| 127 |
PCAPs at https://www.croatiafidelis.hr/foss/cap/ |
| 128 |
( |
| 129 |
select by the timestamp, the later the better; I even got a really nice note |
| 130 |
of appreciation from Devuan devs when my analysis helped them to fix a |
| 131 |
trivial but urgent network issue on 2017-04-23 which timestamp I shorten to |
| 132 |
170423 and so the link is: |
| 133 |
BAD sig on Devuan ISO |
| 134 |
https://www.croatiafidelis.hr/foss/cap/cap-170423-devuan-iso-sig/ |
| 135 |
)... |
| 136 |
|
| 137 |
And since this morning even plain one only ether device connection failed |
| 138 |
without any segfaults to anything or any " denied " errors... (the bridge |
| 139 |
would always get segfaults for dhcpcd). |
| 140 |
|
| 141 |
Back to the script seen in its action only. I spent hours trying to figure |
| 142 |
out what the lines of the script that does that should look like, but more |
| 143 |
hours I would need to be able to reconstruct any. I saw those entries in awk |
| 144 |
and I know sed that well, but it's more skills needed to reconstruct that |
| 145 |
script... and to hopefully locate it in the system partition dump. |
| 146 |
|
| 147 |
Thanks if anybody is able to better analyze those (and maybe help locate |
| 148 |
it). So that it be quicker at hand, I attach a gzip'ed archive of |
| 149 |
https://www.croatiafidelis.hr/foss/cap/cap-170504-strange-bash/messages_1705 |
| 150 |
04_2155_g0n |
| 151 |
messages_170504_2155_g0n.gz |
| 152 |
to this email as well (it's just over 1K). |
| 153 |
|
| 154 |
But I strongly believed it was a potential risk to keep running that system, |
| 155 |
and what I did is, while completely offline, I thoroughly checked the frozen |
| 156 |
clone and also the Air-Gapped (which only has the Wireshark inconsistency, |
| 157 |
and never had this Tab-triggers-Bash-script in (grsecurity RBAC) role |
| 158 |
admin). |
| 159 |
|
| 160 |
And then I updated my Air-Gapped and cloned my for-online system from it. In |
| 161 |
this system, [stop...] Haha! actually *only* in the software of this system, |
| 162 |
there are no traces that would indicate any Tab-triggers-a-script behavior, |
| 163 |
but I certainly don't know if anything was planted in my hardware... It's |
| 164 |
not Open Hardware,[5] so even if I knew how to check firware and stuff, I |
| 165 |
couldn't check much of it, let alone all of it... |
| 166 |
|
| 167 |
> -----Original Message----- |
| 168 |
> From: Miroslav Rovis [mailto:miro.rovis@××××××××××××××.hr] |
| 169 |
> Sent: Friday, May 05, 2017 01:02 |
| 170 |
> To: gentoo-user@l.g.o |
| 171 |
> Subject: Re: [gentoo-user] Inconsistent behavior in my Gentoo OS |
| 172 |
> instance |
| 173 |
> |
| 174 |
> Hi Bobby! |
| 175 |
> |
| 176 |
> Pls. see also: |
| 177 |
> |
| 178 |
> Tab (no exec) triggers script on Bash on grsec admin |
| 179 |
> https://forums.grsecurity.net/viewtopic.php?f=3&t=4700 |
| 180 |
> |
| 181 |
> as well as the other email that I sent some 7 or so hours ago. |
| 182 |
> |
| 183 |
> NOTE: if I'm away, it's because I'm a little worried... I'm afraid my |
| 184 |
> system may be vulnerable because of these issues. Patience pls. |
| 185 |
> |
| 186 |
> (no more but only my sig in bottom) |
| 187 |
> |
| 188 |
> On 170504-21:15-0400, Bobby Kent wrote: |
| 189 |
> > Hi Miroslav, |
| 190 |
> > |
| 191 |
> > Attempting to reproduce third issue: |
| 192 |
> > |
| 193 |
> > # mkdir wibble1_1 |
| 194 |
> > # mkdir wibble2_1 |
| 195 |
> > # mkdir wibble3_1 |
| 196 |
> > # mkdir wibble4_1 |
| 197 |
> > # mkdir wibble5_1 |
| 198 |
> > # for d in wibble*_1 ; do mkdir $d/wobble ; done # ls -1d wibble*_1 |
| 199 |
> > wibble1_1 |
| 200 |
> > wibble2_1 |
| 201 |
> > wibble3_1 |
| 202 |
> > wibble4_1 |
| 203 |
> > wibble5_1 |
| 204 |
> > |
| 205 |
> > Then hit tab after positioning cursor after the / below: |
| 206 |
> > # for i in $(ls -1d wibble*_1/) ; do echo $i ; done |
| 207 |
> > |
| 208 |
> > And the results are an attempt to autocomplete: |
| 209 |
> > wibble1_1// wibble2_1// wibble3_1// wibble4_1// wibble5_1// |
| 210 |
> > |
| 211 |
> > Perhaps the test oversimplified the issue, though maybe you could |
| 212 |
> > provide the simplest way to reproduce what you see. |
| 213 |
> > |
| 214 |
> > Thanks. |
| 215 |
I do get this normal behavior that you explain above in my Air-Gapped. |
| 216 |
And generally in my cloned system. The erratic behavior that I caught a |
| 217 |
revealing glimse of was only ever happening in my clone that goes online. |
| 218 |
|
| 219 |
> > -----Original Message----- |
| 220 |
> > From: Miroslav Rovis [mailto:miro.rovis@××××××××××××××.hr] |
| 221 |
> > Sent: Tuesday, May 02, 2017 10:13 |
| 222 |
> > To: gentoo-user@l.g.o |
| 223 |
> > Subject: Re: [gentoo-user] Inconsistent behavior in my Gentoo OS |
| 224 |
> > instance |
| 225 |
... |
| 226 |
> > |
| 227 |
> > Third issue |
| 228 |
> > ========== |
| 229 |
... |
| 230 |
> > > [[ |
| 231 |
> > > NOTE (before delayed sending): In fact, it is only this clone that |
| 232 |
> > > exibits the above Bash malfunctioning. I just checked the same for |
| 233 |
> > > loop command (some six paragraphs above) in my Air-Gapped master |
| 234 |
> > > [1] (never any internet it sees, |
| 235 |
> > The [1] is important for understanding, especially this Bash issue |
| 236 |
> > in my Gentoo instance. |
| 237 |
> > Because in my Air-Gapped Gentoo instance that issue does not show at |
| 238 |
all. |
| 239 |
Pls. also note the line just above. It is a strong indication, by science of |
| 240 |
probability. Any real serious issues that I have had in years, most often |
| 241 |
showed in the clone, but never in my Air-Gapped. Only the Wireshark issue |
| 242 |
that I have makes for a singular exception... And that is why I first |
| 243 |
thought, and wrote so, that I needed to rebuild my system... I still do, but |
| 244 |
and Air-Gap rebuild is a longer time exercize... |
| 245 |
|
| 246 |
And finally, my suspicion is still not a declaration of anything. |
| 247 |
|
| 248 |
E.g. it was nice to find out what the reason was for the eix issue (the |
| 249 |
"Fourth issue") from Marting Vaeth's reply, and I am sending in parallel |
| 250 |
with this one another email to confirm on it, as that was a normal bug, and |
| 251 |
also as it has been fixed in the meantime. |
| 252 |
|
| 253 |
Who knows, maybe there is a rational explanation for that completion |
| 254 |
triggering and sed'ing on /etc/ssh/ssh_config ... without monkeys from space |
| 255 |
and without attacks by shadows or very badly broken packages... |
| 256 |
|
| 257 |
Do show me if this is something in-the-ordinary, anybody, if you can! |
| 258 |
|
| 259 |
... |
| 260 |
> > > --- |
| 261 |
> > > [1] My methods are still these: |
| 262 |
> > > Air-Gapped Gentoo Install, Tentative |
| 263 |
> > > https://forums.gentoo.org/viewtopic-t-987268.html |
| 264 |
> > > |
| 265 |
> > > and |
| 266 |
> > > |
| 267 |
> > > Postfix smtp/TLS, Bkp/Cloning Mthd, Censorship/Intrusion |
| 268 |
> > > https://forums.gentoo.org/viewtopic-t-999436.html#7613044 |
| 269 |
> > > |
| 270 |
|
| 271 |
--- |
| 272 |
[2] There was an experiment by the evolutionists who gave computers to |
| 273 |
monkeys, convinced that they would eventually, after be it a huge |
| 274 |
number of tries, start typing some sensible input into those and end |
| 275 |
up writing some, that those be trivial, messages of some kind, or at |
| 276 |
least some text that makes some sense whatsoever... Namely, they |
| 277 |
believe that humans came out of monkeys, during long periods of |
| 278 |
history... Alas, didn't happen... Only excrements on those |
| 279 |
keyboards and monitors, and ruined equipment... There wasn't any |
| 280 |
kind of text that makes any kind of sense whatsoever. Sorry but I |
| 281 |
lost the source for this... |
| 282 |
|
| 283 |
[3] Developer Raps Linux security |
| 284 |
http://www.crmbuyer.com/story/39565.html |
| 285 |
|
| 286 |
[4] I will keep the frozen system for weeks from now. dd dumped as by |
| 287 |
the ...Bkp/Cloning Mthd... link given some 12 lines above. In case |
| 288 |
there would be something to find in there... |
| 289 |
|
| 290 |
[5] Use old amd64 gentoo image on new amd64 hardware, possible? |
| 291 |
https://forums.gentoo.org/viewtopic-t-940916.html |
| 292 |
(the newer of the two systems, the Extreme4 MBO) |
| 293 |
|
| 294 |
Regards! |
| 295 |
-- |
| 296 |
Miroslav Rovis |
| 297 |
Zagreb, Croatia |
| 298 |
https://www.CroatiaFidelis.hr |
Archives