'Bigger than Heartbleed': Bash bug could leave IT systems in shellshock
- CNET
Shell Shock: Bash bug labelled largest ever to hit the internet
- Sydney herald
You might have heard about "ShellShock" bug in bash shell that everyone is talking about. You might ask what is the big deal about it? and say that you don't even use bash. It might astound you if I say that this bug exists in so many systems from your fancy smart watches to android phones to Macbooks to powerful web/email/DHCP servers. Basically, bash shell is used everywhere!
"Heatbleed" bug, a vulnerability in OpenSSL servers, created a huge fuss few months back. Experts think that ShellShock is much more serious than that considering the number of systems being affected. Lot of military and government organizations are at risk.
Sysadmins make sure that you apply this patch if you don't want to get fired :P
Bash 'shellshock' bug is wormable
'Bigger than Heartbleed': Bash bug could leave IT systems in shellshock
- CNET
Shell Shock: Bash bug labelled largest ever to hit the internet
- Sydney herald
You might have heard about "ShellShock" bug in bash shell that everyone is talking about. You might ask what is the big deal about it? and say that you don't even use bash. It might astound you if I say that this bug exists in so many systems from your fancy smart watches to android phones to Macbooks to powerful web/email/DHCP servers. Basically, bash shell is used everywhere!
"Heatbleed" bug, a vulnerability in OpenSSL servers, created a huge fuss few months back. Experts think that ShellShock is much more serious than that considering the number of systems being affected. Lot of military and government organizations are at risk.
So what is Shell Shock?
It is a vulnerability present in bash till 4.3. Because of this lot of applications using bash are not safe. This 22 yr old bug exists because of the way bash handles environment variables. It is common to assign a function to an environment variable in shell scripts. However it was noticed that the trailing code in the function definition is also executed. Hence it is possible to remotely execute malicious code in many websites by just injecting it at the end of function definition.
To give more detail consider:
env X="() { pwd; ls;}; echo hacked" bash -c "echo done"
The result is:
hacked
done
After function definition, malicious code echo hacked was also executed!
env X="() { pwd; ls;}; echo hacked" bash -c "echo done"
You have to worry if the result is:
hacked
done
instead of
done
To give more detail consider:
env X="() { pwd; ls;}; echo hacked" bash -c "echo done"
The result is:
hacked
done
After function definition, malicious code echo hacked was also executed!
Am I safe?
Open terminal and execute this:env X="() { pwd; ls;}; echo hacked" bash -c "echo done"
You have to worry if the result is:
hacked
done
instead of
done
In action!
There are three files in the folder:
DO_NOT_DELETE_THIS.txt
IMPORTANT.txt
I_WILL_GET_FIRED_IF_I_LOSE_THIS_FILE.txt
after executing this all files get deleted!:
env X="() { :;}; rm -rf *" bash -c "echo completed"
Note that rm -rf * is injected (Here I have just typed :P) and it wipes the folder clean
DO_NOT_DELETE_THIS.txt
IMPORTANT.txt
I_WILL_GET_FIRED_IF_I_LOSE_THIS_FILE.txt
after executing this all files get deleted!:
env X="() { :;}; rm -rf *" bash -c "echo completed"
Note that rm -rf * is injected (Here I have just typed :P) and it wipes the folder clean
How to fix this?
Considering the amount of legacy code which can't be modified, we need a patch in bash itself. Fortunately, a workaround is provided by RedHat here.Sysadmins make sure that you apply this patch if you don't want to get fired :P
Worth Reading
Bash 'shellshock' bug is wormable
'Bigger than Heartbleed': Bash bug could leave IT systems in shellshock
Thanks for sharing that link :)
ReplyDelete