Pages

Thursday, 25 September 2014

ShellShock: Largest security bug ever in the computing world

​'Bigger than Heartbleed': Bash bug could leave IT systems in shellshock
- CNET

Shell Shock: Bash bug labelled largest ever to hit the internet
- Sydney herald

You might have heard about "ShellShock" bug in bash shell that everyone is talking about. You might ask what is the big deal about it? and say that you don't even use bash. It might astound you if I say that this bug exists in so many systems from your fancy smart watches to android phones to Macbooks to powerful web/email/DHCP servers. Basically, bash shell is used everywhere!
"Heatbleed" bug, a vulnerability in OpenSSL servers, created a huge fuss few months back. Experts think that ShellShock is much more serious than that considering the number of systems being affected. Lot of military and government organizations are at risk.


So what is Shell Shock?

It is a vulnerability present in bash till 4.3. Because of this lot of applications using bash are not safe. This 22 yr old bug exists because of the way bash handles environment variables. It is common to assign a function to an environment variable in shell scripts. However it was noticed that the trailing code in the function definition is also executed. Hence it is possible to remotely execute malicious code in many websites by just injecting it at the end of function definition.

To give more detail consider:

env X="() { pwd; ls;}; echo hacked" bash -c "echo done"

The result is:
hacked
done

After function definition, malicious code echo hacked was also executed!

Am I safe?

Open terminal and execute this:

env X="() { pwd; ls;}; echo hacked" bash -c "echo done"

You have to worry if the result is:
hacked
done

instead of
done

In action!

There are three files in the folder:
DO_NOT_DELETE_THIS.txt
IMPORTANT.txt
I_WILL_GET_FIRED_IF_I_LOSE_THIS_FILE.txt

after executing this all files get deleted!:

env X="() { :;}; rm -rf *" bash -c "echo completed"

Note that rm -rf * is injected (Here I have just typed :P) and it wipes the folder clean



How to fix this?

Considering the amount of legacy code which can't be modified, we need a patch in bash itself. Fortunately, a workaround is provided by RedHat here.
Sysadmins make sure that you apply this patch if you don't want to get fired :P

Worth Reading


Bash 'shellshock' bug is wormable

​'Bigger than Heartbleed': Bash bug could leave IT systems in shellshock



1 comment: