Major Bash vulnerability affects Linux, Unix, Mac Os x (shell shock)

Discussion in 'other security issues & news' started by Minimalist, Sep 24, 2014.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
  2. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    This is actually a remote vulnerability, the Threatpost article just does a horrible job explaining it.

    http://seclists.org/oss-sec/2014/q3/650

    Edit: also I have to say, it says incredibly horrible things about the design of UNIX OSes that a vulnerability in the *local* command shell can make services vulnerable *that should not provide any access to said command shell, ever*.
     
  3. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,095
    Hi Gullible,

    This vulnerability has been around since day one of the World Wide Web in browserland - notably since the Mosaic browser - i.e. it has nothing to do with the design of UNIX OSes - it is an implementation feature of how the browser makers designed that particular interface to execute whatever functionality. IOWs, there was no scrutiny whatsoever regarding security back in the day - which haunts us to this day.
     
  4. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Not sure I follow, as this is mainly a web service vulnerability, not a browser one? Or are you talking about CGI?
     
  5. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,095
    The way the CGI is implemented via the Bash interface has never been secure!
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    http://venturebeat.com/2014/09/24/bash/
     
  7. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    http://www.wired.com/2014/09/internet-braces-crazy-shellshock-worm/
     
  8. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    I'm not talking about CGI scripts implemented in bash, more that any compromised process can export an environment variable and have bash pick it up and execute it...

    Although when you get down to it, the problem there is more DAC than UNIX specifically.

    I guess my point is, a vulnerability in a strictly local command shell should not translate into a remote exploit in a web service on a sanely configured server. Apache etc. should not be able to just export whatever into the user's environment. One vulnerable local program should not instantly create a remote hole.

    Edit: actually it's even worse than that, since in the case of DHCP clients it seems that stuff gets exported always, without any compromise of the client being necessary. Connect to a rogue server -> BOOM, instant root command shell.

    This is just incredibly stupid. The entire job of a command shell like bash is to execute arbitrary commands, that's what is designed for; web services and client programs should never, ever depend on it not executing stuff for security. That's just ridiculous.
     
    Last edited: Sep 25, 2014
  9. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  10. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
     
  12. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Update from Red Hat on 25 Sep :

    https://access.redhat.com/articles/1200223
     
  13. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,095
    I believe I made no reference to 'scripts'. Since this vulnerability is a targeted attack - it is unlikely that it would have been uncovered in either design reviews or massive testing without a security vulnerability approach. Also, hindsight won't cure the problem unless a concerted effort is undertaken to comprehensively assure that both design/implementation reviews in concert with security tools target such vulnerability possibilities.

    See the following article at ArsTechnica:
    Bug in Bash shell creates big security hole on anything with *nix in it.

    -- Tom
     
  14. Gullible Jones

    Gullible Jones Registered Member

    Joined:
    May 16, 2013
    Posts:
    1,459
    Sorry, I guess I'm having some trouble articulating what I mean here...

    What I'm trying to say is, we have web services/clients/etc. depending on a command shell to be secure. And a command shell is, by definition, designed to execute arbitrary code. The flexibility of a command shell is inimical to any kind of security.

    Edit: sorry for using dubious adjectives above BTW (I realize "incredibly stupid" is kind of inflammatory). The state of the art in industrial/enterprise computing is pretty amazing, but it still leaves a lot wanting, pretty much across the board.
     
  15. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    http://arstechnica.com/security/201...bility-grows-as-exploit-reported-in-the-wild/
     
  16. Veeshush

    Veeshush Registered Member

    Joined:
    Mar 16, 2014
    Posts:
    643
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
    http://www.kb.cert.org/vuls/id/252743
     
  19. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,095
  20. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From Bash-ing Into Your Network – Investigating CVE-2014-6271:
     
  21. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
  22. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
    http://blog.trendmicro.com/trendlab...exploit-emerges-in-the-wild-leads-to-flooder/
     
  23. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,057
  24. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,729
    Location:
    Texas
  25. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,095
    Re: CVE-2014-6271: remote code execution through bash (3rd vulnerability).

    Related: Shellshock Bash Vulnerability Tester.

    -- Tom
     
Loading...