cancel
Showing results for 
Search instead for 
Did you mean: 

'Shellshock' BASH Vulnerability Discovered

DaveyH
Champion
Posts: 1,946
Thanks: 453
Fixes: 12
Registered: ‎15-11-2012

'Shellshock' BASH Vulnerability Discovered

Time to update those nix boxes
[Quote=http://www.tomsguide.com/us/shellshock-osx-linux,news-19614.html]
A fundamental flaw in one of the most basic functions of OS X, Linux, UNIX and related operating systems was revealed and patched today (Sept. 24) by software developers. The Bash "shell," or command-line interface for UNIX-like systems, allows injection of random, possibly malicious, code following commands, and automatically executes that code without verifying it. Today's patch prevents that code execution...
13 REPLIES 13
VileReynard
Hero
Posts: 12,616
Thanks: 582
Fixes: 20
Registered: ‎01-09-2007

Re: 'Shellshock' BASH Vulnerability Discovered

I don't understand this so-called bug.
Quote
Shell scripts which do not export variables are not vulnerable to this issue, even if they process untrusted content and store it in (unexported) shell variables and open subshells.

(Majority of shell scripts) ?Huh
Unless somebody has been very reckless with security, this bug would only affect a single user.

"In The Beginning Was The Word, And The Word Was Aardvark."

HairyMcbiker
All Star
Posts: 6,792
Thanks: 266
Fixes: 21
Registered: ‎16-02-2009

Re: 'Shellshock' BASH Vulnerability Discovered

Wondered why bash had been updated yesterday 😉
30FTTC06
Pro
Posts: 2,286
Thanks: 108
Fixes: 4
Registered: ‎18-02-2013

Re: 'Shellshock' BASH Vulnerability Discovered

It's never ending Grin
Anyway DD-WRT seems ok >>> http://www.dd-wrt.com/phpBB2/viewtopic.php?t=268805
Added: "I'm still unsure how are any embedded devices (routers among them) vulnerable to this particular CVE.
Can you please point me at router firmware (or custom router firmware) that actually uses bash, the latter being one of the slowest and resource-hogging shells? Almost all Linux-based routers run Busybox, which implements its own tiny shell.
This also does not affect the majority of *NIX/BSD servers as those usually don't have bash (besides possible personal user shells, and those that host CGI scripts that specifically use #!/usr/bin/bash instead of #!/bin/sh; /bin/sh is never bash in this case). Same can be said about Ubuntu which uses dash as its /bin/sh replacement. As in, the vulnerability can be exploited on these systems, but only locally (and probably only if there are setuid bash scripts, otherwise all you get is run some code with your own effective UID/GID)."
HairyMcbiker
All Star
Posts: 6,792
Thanks: 266
Fixes: 21
Registered: ‎16-02-2009

Re: 'Shellshock' BASH Vulnerability Discovered

Had a look at the exploit after seeing this, and it does seem to only be related to cgi scripts, and as you say all my embeded stuff uses busybox as the main source for everything, I did add bash to one of my tablets a while back but not most of them.
RJM
Rising Star
Posts: 186
Thanks: 21
Registered: ‎28-01-2013

Re: 'Shellshock' BASH Vulnerability Discovered

oliverb
Grafter
Posts: 606
Registered: ‎02-08-2007

Re: 'Shellshock' BASH Vulnerability Discovered

Can anyone explain this one properly?
I've read one description and I'm still trying to understand how content from the HTTP header gets passed to the shell in the first place. Its something to do with the way environment variables are set I think, but as I understand it in an unsafe/unauthenticated environment everything must be done using direct calls not via a command shell to prevent the risk of an attacker inserting metacharacters that could execute commands. Any use of any command shell invites this kind of attack, since any future version of the shell or alternative shell could add a new separator that the filter would not filter out.
Was the shell ever designed to be secure anyway? It was always expected to be run in an authenticated environment.
OK I think I get it a bit more now, its that the function definition happens even though its put inside quotes. "Oh we'll put quotes round it that's sure to make it safe". Facepalm.
kmilburn
Grafter
Posts: 911
Thanks: 6
Registered: ‎30-07-2007

Re: 'Shellshock' BASH Vulnerability Discovered

Ultimately, the problem comes down to a simple mishandling by BASH of an environment variable which starts with a function definition,  executing any trailing content rather throwing it away or returning a failure.  With regards to the examples,  the quotes are there to get the value from first shell (which could be any  shell) into the environment variable before executing a second shell,  it's the second shell  that's interpreting the value, and in the case of BASH, mishandling the value. 
Web servers are of primary concern as they tend to execute external code to generate page content  and place some of the received header fields and content in environment variables to give the sub-process the context it requires.  Any server which launches sub-processes and sets up  environment variables using client supplied content is at potential risk.
With regards to security, the ability to run the shell and issue command usually requires direct access (physically or through another interface like SSH or telnet) or is being launched from what would be considered an  trusted program.    As such, there's not a lot else that can be done as the authentication has already occurred before the shell is executed. 
VileReynard
Hero
Posts: 12,616
Thanks: 582
Fixes: 20
Registered: ‎01-09-2007

Re: 'Shellshock' BASH Vulnerability Discovered

If you are passing parameters from an insecure source to a shell script, surely the script should validate them first?

"In The Beginning Was The Word, And The Word Was Aardvark."

kmilburn
Grafter
Posts: 911
Thanks: 6
Registered: ‎30-07-2007

Re: 'Shellshock' BASH Vulnerability Discovered

In normal circustances you would be right,  but in this instance (due to the bug), the shell was executing the rouge instructions before it started the command (script or executable).  It's also impractical to put the validation on the launching side as the web server wouldn't know what the launched command expects.
ejs
Aspiring Hero
Posts: 5,442
Thanks: 631
Fixes: 25
Registered: ‎10-06-2010

Re: 'Shellshock' BASH Vulnerability Discovered

I would have thought the web server would have a very good idea of what the valid inputs to a command it's going to launch would be!
kmilburn
Grafter
Posts: 911
Thanks: 6
Registered: ‎30-07-2007

Re: 'Shellshock' BASH Vulnerability Discovered

For the fields of concern  (e.g. user agent),  the only specification is that it is text,  there's no requirement that it makes sense let alone doesn't contain something that any external third party piece of software might have a problem with.
VileReynard
Hero
Posts: 12,616
Thanks: 582
Fixes: 20
Registered: ‎01-09-2007

Re: 'Shellshock' BASH Vulnerability Discovered

So sending a null user agent string would meet the required "standard".

"In The Beginning Was The Word, And The Word Was Aardvark."

LukeAger
Grafter
Posts: 121
Thanks: 5
Registered: ‎15-02-2012

Re: 'Shellshock' BASH Vulnerability Discovered

A few days old now but missing from this thread. Initial patches for this CVE-2014-6271 still left vulnerabilities open and have since(29th) been reported again under a new CVE 2014-6278 along with 6277. Anything patched under 6271 theoretically needs patching again.
Quote from: 11110_110
Can you please point me at router firmware (or custom router firmware) that actually uses bash

Not sure about every vendor but Cisco's list of affected devices are published http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash.