Chicog Posted September 25, 2014 Share Posted September 25, 2014 (edited) Time to patch again... Just months after news of Heartbleed made waves across the internet, a new security flaw known as Bash bug is threatening to compromise everything from major servers to connected cameras.A new security vulnerability, known alternately as the Bash or Shellshock bug, could spell disaster for major digital companies, small-scale web hosts and even internet-connected devices.The quarter-century-old security flaw allows malicious code execution within the bash shell (commonly accessed through Command Prompt on PC or Mac's Terminal application) to take over an operating system and access confidential information.A post from open-source software company Red Hat warned that "it is common for a lot of programs to run Bash shell in the background," and the bug is "triggered" when extra code is added within the lines of Bash code.Security expert Robert Graham has warned that the Bash bug is bigger than Heartbleed because "the bug interacts with other software in unexpected ways" and because an "enormous percentage" of software interacts with the shell. http://www.cnet.com/au/news/bigger-than-heartbleed-bash-bug-could-leave-it-systems-shellshocked/ Edited September 25, 2014 by Chicog Link to comment Share on other sites More sharing options...
canuckamuck Posted September 25, 2014 Share Posted September 25, 2014 Farging computers Link to comment Share on other sites More sharing options...
IMHO Posted September 25, 2014 Share Posted September 25, 2014 (edited) Surprised it took you so long to post this one Chicog - slow start today? I can confirm that it effects all version of Mac OSX - even v10.9.5, which was compiled on the day the exploit was first published (17th Sept). I wouldn't want to be running a farm of 1,000 Linux boxes today though, and it's going to be interesting to see if the bug opens exploits on Android and iOS devices... Guess we'll know soon... For now, I think these tweets sum the situation up best: https://twitter.com/SwiftOnSecurity/status/514947359394889728 https://twitter.com/FalsNameMcAlias/status/514947800245993472/photo/1 Side note: this should probably be in the parent board, seeing as it effects practically every computer and device that doesn't run Windows - e.g. like your router, your shiny new smartwatch, maybe even your Playstation and your WDTV. Edited September 25, 2014 by IMHO Link to comment Share on other sites More sharing options...
RichCor Posted September 25, 2014 Share Posted September 25, 2014 (edited) That c|net article is horribly written. Why don't they just say, "someone executing a bash script, on an unpatched or unpatchable system, can use the exploit to gain r/w access to areas of a system where non was originally granted." First, you have to have bash, and have access to run bash. At least someone in the comments was helpful with this link: www.webmaster.net ‘Shell Shock’ Remote Code Exploitation: How To Patch Bash And Determine If Your System Is Vulnerable ...and for PC users My Company Only Runs On Microsoft Products, Am I Safe? Troy Hunt, Microsoft MVP and security specialist All our things are on the Microsoft stack, are we at risk? Short answer “no”, long answer “yes”. I’ll tackle the easy one first – Bash is not found natively on Windows and whilst there are Bash implementations for Windows, it’s certainly not common and it’s not going to be found on consumer PCs. It’s also not clear if products like win-bash are actually vulnerable to Shellshock in the first place. The longer answer is that just because you operate in a predominantly Microsoft-centric environment doesn’t mean that you don’t have Bash running on machines servicing other discrete purposes within that environment. Many of my media add-ons run in linux/bash environments under Windows. Hmm. In an update to the webmaster article they posted: Windows devs be aware that msysgit includes a vulnerable bash version. OK. I get it. End of the world { I get dibs on your big screen TV after you're gone; Damn, it's a SmartTV running an unpatched version of linux Nevermind; } /// EDIT I definitely preferred this article over the others I've read: PC-World Securilty Watch: Serious Bash Flaw Lets Attackers Hijack Linux and Mac Computers The vulnerability has to do with how Bash handles environment variables. When assigning a function to a variable, any extra code in the definition will also be executed. So all an attacker has to do is somehow append a bunch of commands in that definition—a classic code-injection attack—and they will be able to remotely hijack the affected machine. Chazelas and other researchers who have looked at the flaw have confirmed that it is easily exploitable if the code is injected into environmental variables, such as the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in Apache HTTP Server, or scripts which set the environment for DHCP clients. "A large number of programs on Linux and other UNIX systems use Bash to set up environmental variables which are then used while executing other programs," Jim Reavis, chief exec of the Cloud Security Alliance, wrote in a blog post.[...] "It's not as 'simple' as 'be running Bash,'" Beardsley said. For the machine to be vulnerable to attack, there needs to be an application (like Apache) taking in user input (like a User-Agent header) and putting it into an environment variable (which CGI scripts do), he said. Modern Web frameworks will generally not be affected, he said. Edited September 25, 2014 by RichCor 1 Link to comment Share on other sites More sharing options...
jcisco Posted September 25, 2014 Share Posted September 25, 2014 Is this bigger than remotely requesting and receiving chunks of the the servers memory. Not sure you can do much more shellshocked than finding this sort of issue in your environment. Farging computers Or is this bigger than Heartbleed based on the install base of bash.. Cause the issue as I have read is certainly nasty, but not even in the same universe as a heartbleed issue. Link to comment Share on other sites More sharing options...
RichCor Posted September 25, 2014 Share Posted September 25, 2014 Think script injection via buffer overflow vulnerability. Websites that take common user input (like a User-Agent header) and putting it into an environment variable (which CGI scripts do) before doing a records match. Except the manipulated data causes the bash script to execute code. So yes, much bigger. Link to comment Share on other sites More sharing options...
aarn Posted September 26, 2014 Share Posted September 26, 2014 Thanks for bringing my attention to this. With regret I recently abandoned lubuntu, went over to linux lite. Anyway, working through RichCor's responses, found out my [bash] is considered safe. AA Link to comment Share on other sites More sharing options...
IMHO Posted September 26, 2014 Share Posted September 26, 2014 Thanks for bringing my attention to this. With regret I recently abandoned lubuntu, went over to linux lite. Anyway, working through RichCor's responses, found out my [bash] is considered safe. AA AFAIK, there's no version of Bash considered safe.. even the patches released yesterday are only a partial fix - they are still exploitable. Link to comment Share on other sites More sharing options...
Chicog Posted September 26, 2014 Author Share Posted September 26, 2014 A few more helpful links: http://draios.com/shellshock-sysdig/ http://www.eweek.com/news/why-shellshock-bug-is-way-nastier-than-heartbleed.html https://shellshocker.net/ Link to comment Share on other sites More sharing options...
ITGabs Posted September 27, 2014 Share Posted September 27, 2014 Actually my Git Bash in Windows was vulnerable too Bash Test env x='() { :;}; echo vulnerable' bash -c "echo this is a test" | grep vulnerable PHP Test <?php echo `env x='() { :;}; echo vulnerable' bash -c "echo this is a test" | grep vulnerable`; ?> In both case will show the text vulnerable if is vulnerable and nothing if is ok There is a second patch because the first one not fix the problem entirely http://www.thaivisa.com/forum/topic/763828-vulnerability-in-bashx2-worst-that-heartbleed/ Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now