It's never a good idea to let users enter unsanitized data.
Posted on 09/25/2014 10:47:12 AM PDT by zeugma
A remotely exploitable vulnerability has been discovered by Stephane Chazelas in bash on Linux and it is unpleasant. The vulnerability has the CVE identifier CVE-2014-6271 and has been given the name Shellshock by some. This affects Debian as well as other Linux distributions. You will need to patch ASAP.
Bash supports exporting shell variables as well as shell functions to other bash instances. This is accomplished through the process environment to a child process.
The major attack vectors that have been identified in this case are HTTP requests and CGI scripts.
From Akamai:
Akamai has validated the existence of the vulnerability in bash, and confirmed its presence in bash for an extended period of time. We have also verified that this vulnerability is exposed in ssh---but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.
There are several functional mitigations for this vulnerability: upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, or filtering inputs to vulnerable services. Akamai has created a WAF rule to filter this exploit; see "For Web Applications" below for details.
If you have a username in your authorization header this could also be an attack vector.
Another attack surface is OpenSSH through the use of AcceptEnv variables. As well through TERM and SSH_ORIGINAL_COMMAND. An environmental variable with an arbitrary name can carry a nefarious function which can enable network exploitation. This is fire bad.
The race is on. Will you be able to patch before Metasploit has a working exploit?
Tod Beardsley, engineering manager from Rapid7, had this to say,
"As you might have guessed, we're busy at work putting together a Metasploit module that demonstrates the bash bug (CVE-2014-6271), as is the rest of the world of open source security contributors. I expect to see a first version today.
That said, it's difficult to write one "bash bug" exploit -- this is the sort of exploit that will be lurking around in all various and sundry sorts of software, both local and remote. It's quite common for embedded devices with web-enabled front-ends to shuttle user input back and forth via bash shells, for example -- routers, SCADA/ICS devices, medical equipment, and all sorts of webified gadgets are likely to be exposed.
The module we're cooking up today will be as generic as we can make it, so people have a realistic chance of testing their devices. I expect that this will show up in more than one software package, though, so stay tuned."
[UPDATE]: Received word from Tod at Rapid7 that the Metasploit module for the bash vulnerability was completed at 8:26 pm EDT.
Patch your systems now…GO!
Support Information:
It doesn't seem to be a privilidge escalation exploit, but it allows folks to execute arbitrary code as the user in question. Of particular danger are any websites that have CGI scripts that might invoke a shell for some reason. If there is an updated binary for your distribution, I'd install it. Fortunately is is an extraordinarily painless fix.
Unlike Microsoft vulnerabilities, Linux vulnerabilities are usually patched sometimes within hours of it being revealed.
You might be interested in this...
Not to mention, many of the security vulnerabilities in the various 'doze distributions have been found, patched and released by the 'nix coders -in record time!
In some cases with MiniSloth not even admitting the problem and simply releasing a patch for it in the next "security upgrade" release.
This seems to apply only to shell scripts where the user has to type in something. I would imagine that the idea is that if a script is running suid root, then the user can get access to a root shell somehow.
It's never a good idea to let users enter unsanitized data.
Shell-script writers are notorious for seat-of-the-pants coding practices. Many are old Unix SAs who do not really understand the principles of application programming. The whole idea of Unix is that you can just type in scripts on the command line and run them ad hoc, and that’s what many of them tend to do.
Don't think so... If I understand the vulnerability correctly, the real problem is through web servers (like Apache) where CGI scripting is enabled. HTTP POST requests send data to the CGI script as environment variables. So someone can craft an HTTP POST request and pass the shell command in the payload and have it execute on the web server. If Apache is running with elevated privileges, then the shell command will also.
And the real problem is not with Linix distros, which most Linux admins can patch pretty easily. It is with devices like routers, firewalls, and other things you don't even realize are running web servers and have bash on them, and there is no immediately available patch. Or these "Internet of Things" devices.
One extreme example... a web addressable light bulb... you may have no idea that it is running a web server and has bash on it, but it could be exploited to get into the entire network.
Whew. I have a fully patched windows 8.1 system so I’m good.
That's pretty much what I do. My scripts are designed to be run by me, so I don't worry about input beyond parameter validation. Most of them started as a one-liner that I had to use enough times it was scripted to save the keystrokes and make it so I don't have to remember syntax for obscure stuff.
A worldwide, collaborative, open-source operating system vs. a corporate-owned, closed-source operating system. Apples and oranges, bub. It's in the best interest of the Linux community to patch as soon as possible. Microsoft can take their sweet time, but ultimately it affects their bottom line. Better to keep quiet and patch later than to put it out there that an exploit exists in the wild.
Indeed. You have an entirely different set of problems.
If you pass anything as part of an HTTP post, it is up to whatever is running to process what you sent. It may be Java/J2EE, it may be Perl, it may be dot-Net. I don’t see how a bash command or script would be invoked unless the CGI was actually invoking bash, which is not very common these days.
I did apt-get update on my Ubuntu... was there another step?
hang on... what is Bash? I don’t think I have that.
It’s probably the most popular terminal emulator out there.
oh, I just use terminal if I need terminal.... silly me
[quietly walks away whistling...]
Son of sh
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.