Jump to content

​'Bigger than Heartbleed': Bash bug could leave IT systems in shellshock


Chicog

Recommended Posts

Time to patch again...

Just months after news of Heartbleed made waves across the internet, a new security flaw known as Bash bug is threatening to compromise everything from major servers to connected cameras.

A new security vulnerability, known alternately as the Bash or Shellshock bug, could spell disaster for major digital companies, small-scale web hosts and even internet-connected devices.
The quarter-century-old security flaw allows malicious code execution within the bash shell (commonly accessed through Command Prompt on PC or Mac's Terminal application) to take over an operating system and access confidential information.
A post from open-source software company Red Hat warned that "it is common for a lot of programs to run Bash shell in the background," and the bug is "triggered" when extra code is added within the lines of Bash code.
Security expert Robert Graham has warned that the Bash bug is bigger than Heartbleed because "the bug interacts with other software in unexpected ways" and because an "enormous percentage" of software interacts with the shell.


http://www.cnet.com/au/news/bigger-than-heartbleed-bash-bug-could-leave-it-systems-shellshocked/

Edited by Chicog
Link to comment
Share on other sites

Surprised it took you so long to post this one Chicog - slow start today? tongue.png

I can confirm that it effects all version of Mac OSX - even v10.9.5, which was compiled on the day the exploit was first published (17th Sept).

I wouldn't want to be running a farm of 1,000 Linux boxes today though, and it's going to be interesting to see if the bug opens exploits on Android and iOS devices...

Guess we'll know soon...

For now, I think these tweets sum the situation up best:

https://twitter.com/SwiftOnSecurity/status/514947359394889728

https://twitter.com/FalsNameMcAlias/status/514947800245993472/photo/1

tongue.png

Side note: this should probably be in the parent board, seeing as it effects practically every computer and device that doesn't run Windows - e.g. like your router, your shiny new smartwatch, maybe even your Playstation and your WDTV.

Edited by IMHO
Link to comment
Share on other sites

That c|net article is horribly written. Why don't they just say, "someone executing a bash script, on an unpatched or unpatchable system, can use the exploit to gain r/w access to areas of a system where non was originally granted." First, you have to have bash, and have access to run bash.

At least someone in the comments was helpful with this link:

www.webmaster.net
...and for PC users
Troy Hunt, Microsoft MVP and security specialist

All our things are on the Microsoft stack, are we at risk?

Short answer “no”, long answer “yes”. I’ll tackle the easy one first – Bash is not found natively on Windows and whilst there are Bash implementations for Windows, it’s certainly not common and it’s not going to be found on consumer PCs. It’s also not clear if products like win-bash are actually vulnerable to Shellshock in the first place.

The longer answer is that just because you operate in a predominantly Microsoft-centric environment doesn’t mean that you don’t have Bash running on machines servicing other discrete purposes within that environment.

Many of my media add-ons run in linux/bash environments under Windows. Hmm.
In an update to the webmaster article they posted: Windows devs be aware that msysgit includes a vulnerable bash version.
OK. I get it. End of the world
{
I get dibs on your big screen TV after you're gone;
Damn, it's a SmartTV running an unpatched version of linux
Nevermind;
}
/// EDIT
I definitely preferred this article over the others I've read:

The vulnerability has to do with how Bash handles environment variables. When assigning a function to a variable, any extra code in the definition will also be executed. So all an attacker has to do is somehow append a bunch of commands in that definition—a classic code-injection attack—and they will be able to remotely hijack the affected machine. Chazelas and other researchers who have looked at the flaw have confirmed that it is easily exploitable if the code is injected into environmental variables, such as the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in Apache HTTP Server, or scripts which set the environment for DHCP clients.

"A large number of programs on Linux and other UNIX systems use Bash to set up environmental variables which are then used while executing other programs," Jim Reavis, chief exec of the Cloud Security Alliance, wrote in a blog post.

[...]

"It's not as 'simple' as 'be running Bash,'" Beardsley said. For the machine to be vulnerable to attack, there needs to be an application (like Apache) taking in user input (like a User-Agent header) and putting it into an environment variable (which CGI scripts do), he said. Modern Web frameworks will generally not be affected, he said.

Edited by RichCor
  • Like 1
Link to comment
Share on other sites

Is this bigger than remotely requesting and receiving chunks of the the servers memory. Not sure you can do much more shellshocked than finding this sort of issue in your environment.

Farging computers

Or is this bigger than Heartbleed based on the install base of bash.. Cause the issue as I have read is certainly nasty, but not even in the same universe as a heartbleed issue.

Link to comment
Share on other sites

Think script injection via buffer overflow vulnerability.

Websites that take common user input (like a User-Agent header) and putting it into an environment variable (which CGI scripts do) before doing a records match. Except the manipulated data causes the bash script to execute code.

So yes, much bigger.

Link to comment
Share on other sites

Thanks for bringing my attention to this. With regret I recently abandoned lubuntu, went over to linux lite.

Anyway, working through RichCor's responses, found out my [bash] is considered safe. AA

Link to comment
Share on other sites

Thanks for bringing my attention to this. With regret I recently abandoned lubuntu, went over to linux lite.

Anyway, working through RichCor's responses, found out my [bash] is considered safe. AA

AFAIK, there's no version of Bash considered safe.. even the patches released yesterday are only a partial fix - they are still exploitable.

Link to comment
Share on other sites

Actually my Git Bash in Windows was vulnerable too

Bash Test

env x='() { :;}; echo vulnerable' bash -c "echo this is a test" | grep vulnerable

PHP Test

<?php

echo `env x='() { :;}; echo vulnerable' bash -c "echo this is a test" | grep vulnerable`;

?>

In both case will show the text vulnerable if is vulnerable and nothing if is ok

There is a second patch because the first one not fix the problem entirely

http://www.thaivisa.com/forum/topic/763828-vulnerability-in-bashx2-worst-that-heartbleed/

whistling.gif

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.



×
×
  • Create New...