Linked by Thom Holwerda on Fri 26th Sep 2014 05:00 UTC
Privacy, Security, Encryption

By now you may have heard about a new bug found in the Bash shell. And unless you're a programmer or security expert, you're probably wondering if you should really worry. The short answer is: Don't panic, but you should definitely learn more about it, because you may be in contact with vulnerable devices.

This bug, baptized "Shellshock" by Security Researchers, affects the Unix command shell "Bash," which happens to be one of the most common applications in those systems. That includes any machine running Mac OS X or Linux.

A very simple and straightforward explanation of this major new security issue. The OSNews servers were updated yesterday.

Thread beginning with comment 596971
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE[2]: Routers
by snorkel2 on Fri 26th Sep 2014 16:56 UTC in reply to "RE: Routers"
snorkel2
Member since:
2007-03-06

The CGI scripts have to be written in bash or another language that spawns a bash shell.
They can't exploit this without a bash script already being present in the cgi-bin directory.
If they have already gained access to put a script in cgi-bin you have bigger problems.

They are making this into a bigger deal than it really is.

Reply Parent Score: 5

RE[3]: Routers
by Alfman on Fri 26th Sep 2014 18:03 in reply to "RE[2]: Routers"
Alfman Member since:
2011-01-28

snorkel2,

The CGI scripts have to be written in bash or another language that spawns a bash shell.
They can't exploit this without a bash script already being present in the cgi-bin directory.
If they have already gained access to put a script in cgi-bin you have bigger problems.

They are making this into a bigger deal than it really is.


It's not so simple. This was very poorly explained by the article, but it is a much bigger deal than some people realize.


Consider these two tests
env x='() { :;}; echo vulnerable' dash -c 'echo this is a test'
env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'


The dash shell runs as expected.
However do to the bug in bash shell, it actually executes the contents of the 'x' environment variable. Note that it's often the case for remote users to have write access to the contents of environment variables by design (ie HTTP_USER_AGENT).


Before we write this off as an isolated problem to those who intentionally exposed bash shell via a CGI-like mechanism, we should be aware that libc can internally call upon the bash shell.

In gnu libc, system() -> __libc_system() -> do_system(). This executes /bin/sh, which on some distros points to bash. Therefor anything calling the stdlib "system()" call is potentially exposing this vulnerability!!

Does PHP use it? Apache? nginx? Mysql? imagemagik? postfix? exim? etc... Mind you I'm not asserting that any of these are necessarily vulnerable, only that they could be by inadvertently calling "system()" while using environment variables crafted by the attacker. Obviously the bug isn't in any of these programs, however the problem is they can potentially expose it by spawning innocent helper processes using the "system()" call.

Reply Parent Score: 5

RE[4]: Routers
by rhavenn on Fri 26th Sep 2014 18:54 in reply to "RE[3]: Routers"
rhavenn Member since:
2006-05-12

That's exactly what he said.

If you don't have a CGI script that's written in bash or have some PHP / Python / Ruby / whatever script that is spawning a bash shell then it's a not a problem. An external attacker isn't going to magically be able to spawn a bash shell.

The big ones are people who are using a cPanel / Plex like setup that don't know what's under the hood, but there is something there that is spawning a bash shell in a known location. Custom scripts, although still vulnerable, will take a bit more time for the hackers to find.

note: not saying cPanel / Plex are vulnerable, just using them as examples.

Reply Parent Score: 3

RE[4]: Routers
by snorkel2 on Fri 26th Sep 2014 19:53 in reply to "RE[3]: Routers"
snorkel2 Member since:
2007-03-06

It is that simple.
If you have a apache server and no CGI's that are written in bash, who does that anymore anyway? and you don't spawn a shell your pretty safe.

For example I have bash on my web server and I have several CGI's in python and I know for a fact they don't call popen or use a shell. I think I would be pretty safe even without a updated bash.

Also how would they set these environment vars? wouldn't they need access to the system to set them in the first place? Seems to me they would need to find a exploit to set the vars and if they where able to do that why would they need to use the bash bug?

Edited 2014-09-26 20:02 UTC

Reply Parent Score: 2

RE[4]: Routers
by Soulbender on Sat 27th Sep 2014 08:51 in reply to "RE[3]: Routers"
Soulbender Member since:
2005-08-18

Does PHP use it? Apache? nginx? Mysql? imagemagik? postfix? exim?


PHP yes, Apache, nginx and mysql I'd wager not. Imagemagick, postfix and exim (really dude? Exim?? :-P) probably does but for postfix and exim it might not be a problem unless they export tainted data as environment variables.

Reply Parent Score: 3