topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday December 5, 2024, 2:02 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Linux bash exploit discovered  (Read 24153 times)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,913
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Linux bash exploit discovered
« on: September 24, 2014, 07:36 PM »
"Akamai has validated the existence of the vulnerability in bash, and confirmed its presence in bash for an extended period of time. We have also verified that this vulnerability is exposed in ssh---but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.

There are several functional mitigations for this vulnerability: upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, or filtering inputs to vulnerable services. Akamai has created a WAF rule to filter this exploit; see "For Web Applications" below for details."

http://www.csoonline...h-cve-2014-6271.html

Gothi[c]

  • DC Server Admin
  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 873
    • View Profile
    • linkerror
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #1 on: September 24, 2014, 08:37 PM »
The RH article has a nice summary of possible attack vectors: https://access.redha...com/articles/1200223

Jibz

  • Developer
  • Joined in 2005
  • ***
  • Posts: 1,187
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #2 on: September 25, 2014, 12:28 AM »
That's awful. Looks a bit like a bash version of http://xkcd.com/327/

TaoPhoenix

  • Supporting Member
  • Joined in 2011
  • **
  • Posts: 4,642
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #3 on: September 25, 2014, 06:40 AM »
Also awful is "and confirmed its presence in bash for an extended period of time".

So this is roughly a second time that I have heard of, (I'm sure there are more) where flaws in otherwise trusted non-Windows Non-Adobe/Java stuff has been sitting on a vulnerability for who knows how long, and the "good guys" only found it in 2014. I mean, I know zero about Linux, but isn't bash one of those "deep core" little items that's been around forever?

(Glancing at the article for snips)
"...has been given the name Shellshock by some"

"this is the sort of exploit that will be lurking around in all various and sundry sorts of software, both local and remote. It's quite common for embedded devices with web-enabled front-ends to shuttle user input back and forth via bash shells, for example -- routers, SCADA/ICS devices, medical equipment, and all sorts of webified gadgets are likely to be exposed."

It's like a war now. "My heart is bleeding, and now I have shellshock." :(

Meanwhile in a tangentially related article I don't have the link to this minute, someone reported that hackers want medical data even more than credit cards now, and it remarked that hospitals don't always have top-notch IT departments. So if someone gets into some medical equipment, that could cause a mess!!
Robin Cook, where are you?
:o
« Last Edit: September 25, 2014, 06:46 AM by TaoPhoenix »

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #4 on: September 25, 2014, 09:04 PM »
So this is roughly a second time that I have heard of, (I'm sure there are more) where flaws in otherwise trusted non-Windows Non-Adobe/Java stuff has been sitting on a vulnerability for who knows how long, and the "good guys" only found it in 2014. I mean, I know zero about Linux, but isn't bash one of those "deep core" little items that's been around forever?

God only knows how many of these are floating out there.

I worked on bada for a while, and I was pretty surprised when it was shelved for Tizen. It had an excellent security model. Pretty much everything was entirely encapsulated to an insane degree.

For example, you couldn't really ever do this:

myVar = SomeFunction(input1, input2);

Instead, you had to do this:

Error myError = SomeFunction(input1, input2, out myVar);

Functions returned only error values, so if things go smooth, you might have "myError" equal to "Error.OK" or something like that.

It allowed for functions to operate as black boxes with error checking already incorporated.

A lot of functions returned booleans, but whatever - same diff - errors are caught.

I checked the exploit above, and it seems rather odd that it was never caught before. One has to wonder who the committers are for some of these.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,507
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #5 on: September 26, 2014, 03:37 AM »
So this is roughly a second time that I have heard of, (I'm sure there are more) where flaws in otherwise trusted non-Windows Non-Adobe/Java stuff has been sitting on a vulnerability for who knows how long, and the "good guys" only found it in 2014.

Don't trust Linux.

While Linux would work without bash, the GNU/Linux ecosystem mostly got down to it. Here we go with another example of Linux's bad design: As everything is third-party software, no one triggers a decent QA.

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #6 on: September 26, 2014, 07:22 AM »
Don't trust Linux.

While Linux would work without bash, the GNU/Linux ecosystem mostly got down to it. Here we go with another example of Linux's bad design: As everything is third-party software, no one triggers a decent QA.

What would you recommend as a day-to-day usable OS? FreeBSD? OpenBSD? Other?
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,507
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #7 on: September 26, 2014, 07:25 AM »
Depends on what you do day-by-day. My day-by-day systems are Windows and FreeBSD, randomly supported by OpenBSD. All of them do different things for me.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,859
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #8 on: September 26, 2014, 08:42 AM »
You can run a quick test to see if your version of bash has the vulnerability.

Enter the following in your terminal (sudo not necessary):

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If the vulnerability is present you will receive this output:

vulnerable
 this is a test


If not, it will display:

bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test


With thanks to Ars Technica. More info on this vulnerability test and what it means can be found in this article.

Several major distros already have the first pass patches uploaded to their repositories so the normal software updates should handle getting the patch to you. Check with your distro website for more info.
 8)

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 40,913
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #9 on: September 26, 2014, 08:49 AM »
ps. DonationCoder main and member servers were both patched to protect against the exploit (thanks DC member Gothic!)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,190
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #10 on: September 26, 2014, 10:39 AM »
A note... git bash is vulnerable

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,291
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #11 on: September 26, 2014, 11:46 AM »
A note... git bash is vulnerable

Shhhh! That's my Viagra email server!!! :P
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

Ath

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 3,629
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #12 on: September 26, 2014, 12:05 PM »
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

That's the simple test, but this one still shows the date/time of execution after patch 1 is applied:
rm -f echo && env -i  X='() { (a)=>\' bash -c 'echo date'; cat echo
After applying the second patch it should just do nothing, afaik.
Oh, run it in an empty directory, just to be safe, it will delete, and can create, a file called echo

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,649
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #13 on: September 26, 2014, 05:01 PM »

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #14 on: September 26, 2014, 05:28 PM »
IIUC, there are at least two more issues that have surfaced from investigating the original issue [1].  The following mentions CVE ids for these (handy to distinguish among issues):

  http://article.gmane.org/gmane.comp.security.oss.general/13937



On a side note, looks like there's an FF issue that surfaced in a similar time frame...

Update: didn't realize Chrome appears to be affected too.



1
...who knows how many more may be discovered...and which of those will remain unreported...


rgdot

  • Supporting Member
  • Joined in 2009
  • **
  • Posts: 2,193
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #15 on: September 26, 2014, 05:41 PM »
not really an over reaction but it may be seen as one
Soon there will be a "recommendation" to turn off all devices and just go out and talk personally? I don't think I am exaggerating when I say we are at a tipping point or cross roads and not just technologically speaking. A war there, a hack there, a criminal over there, a new enemy over in the other place, etc.

At some point humanity should decide if it wants to try a future ala Star Trek or just give up and just nuke each other to oblivion


Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,775
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #16 on: September 26, 2014, 06:00 PM »
This is my primary source for information about the bash exploit:

Everything you need to know about the Shellshock Bash bug

As I understand it, it's not just Linux. It's pretty much anything with bash. This includes Unix systems, OSX, Linux, Internet of Things (toasters, thermostats, lightbulbs), routers, and even some tools for Windows that include bash.

It's a pretty severe problem. )c:

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,507
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #17 on: September 26, 2014, 06:02 PM »
Unix doesn't default to bash. Unix rocks.

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #18 on: September 26, 2014, 07:48 PM »
May be there will be more movement away from using Bash as the default system shell for systems that currently use it.

IIRC, sometime ago Debian switched away from bash as the default system shell to using dash.
« Last Edit: September 26, 2014, 08:16 PM by ewemoa »

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,507
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #19 on: September 26, 2014, 07:53 PM »
Not in Linuxland. The bash is the only major GPL'ed shell.

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #20 on: September 26, 2014, 08:19 PM »
I'm not sure what the current status is, but FWIW at some point Ubuntu was using dash as its default system shell:

  https://wiki.ubuntu.com/DashAsBinSh

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 2,507
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #21 on: September 26, 2014, 08:20 PM »
indeed, it is still the default login shell

 :huh:

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #22 on: September 26, 2014, 08:27 PM »
According to Gentoo's wiki:

As some sh scripts may have bashisms in them, it is not guaranteed to work out-of-the-box on Gentoo as /bin/sh replacement.

via:  http://wiki.gentoo.org/wiki/Dash

May be if that's still the case, there will be more incentive to make some appropriate changes...

OTOH, there's this:

  https://bugs.gentoo.org/45735?id=45735

with the status RESOLVED CANTFIX

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #23 on: September 26, 2014, 09:19 PM »
I just checked a relatively recent version of Linux Mint (17 I think), and /bin/sh symlinked to dash, so my guess is that Ubuntu still uses dash as the system shell.

ewemoa

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 2,922
    • View Profile
    • Donate to Member
Re: Linux bash exploit discovered
« Reply #24 on: September 26, 2014, 10:12 PM »
Arch seems to have taken the position (at least at some point) of not switching:

We are using bash arrays and lots of other bash features, removing them now is simply impossible. bash it is, and will be.

via https://bugs.archlinux.org/task/19551