Remote vulnerability in Linux command shell

Remote vulnerability in Linux command shell

Postby Cyborg Girl » Thu Sep 25, 2014 2:29 pm

I know what you're thinking: "Of course a command shell is vulnerable, that's why you don't provide remote access to it."

Unfortunately, on Linux, web services and other stuff depend on the command shell being secure...

http://seclists.org/oss-sec/2014/q3/650
http://unix.stackexchange.com/questions ... shellshock

Anything that exports an environment variable can force the bash command shell to execute arbitrary code upon loading that variable. And lots and lots and lots of software uses environment variables. So lots and lots and lots of software suddenly has massive remote vulnerabilities; because the local program that provides the command line interface, and should never even be accessible from a web service, does something that it should be pretty much expected to do.

But remember, folks, this is the World's Most Robust OS.

(However, expect squid to step in and correct me in 3... 2... 1...)
User avatar
Cyborg Girl
Boy Genius
 
Posts: 2138
Joined: Mon May 27, 2013 2:54 am

Re: Remote vulnerability in Linux command shell

Postby Sigma_Orionis » Thu Sep 25, 2014 4:24 pm

Wonderful
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Remote vulnerability in Linux command shell

Postby squ1d » Thu Sep 25, 2014 4:52 pm

You can't be that confident about what you're saying if you expect to be corrected :o

If Linux is the world's most robust OS then I'm a hungarian parking attendant.
squ1d
 
Posts: 679
Joined: Mon May 27, 2013 5:12 pm

Re: Remote vulnerability in Linux command shell

Postby Rommie » Thu Sep 25, 2014 4:59 pm

O, te is magyar vagy? Nagyszeru! :P
Yes, I have a life. It's quite different from yours.
User avatar
Rommie
 
Posts: 4054
Joined: Mon May 27, 2013 10:04 am

Re: Remote vulnerability in Linux command shell

Postby Cyborg Girl » Thu Sep 25, 2014 5:22 pm

squ1d wrote:You can't be that confident about what you're saying if you expect to be corrected :o


It's become a bit of a pattern lately... ;)

If Linux is the world's most robust OS then I'm a hungarian parking attendant.


"I saw it on a website with 'Business' in its name, so it must be true!"

http://www.businessinsider.com/linus-to ... 014-6?op=1

Edit: more seriously, I've found the Linux kernel quite reliable (despite all my complaints) but I still see a lot of ridiculous hype about how awesome Linux is.
User avatar
Cyborg Girl
Boy Genius
 
Posts: 2138
Joined: Mon May 27, 2013 2:54 am

Re: Remote vulnerability in Linux command shell

Postby FZR1KG » Thu Sep 25, 2014 5:30 pm

There is a disturbing trend of people writing about shit they have no clue about but coming off as experts to the unwary.
Problem is of course many get suckered till they find out the facts.
Others however just read the garbage, take it as gospel then regurgitate the same false information, sometimes getting paid to do it.

e.g. The Free XP on windows 8 topic. One guy found a way to get XP running on Windows 8, but, it's free for a month then you have to activate it.
Regardless of the amount of people I've found that have proven this is the case, they just keep repeating the same shit everywhere.
Then there are discussion of how it comes with a key...but the key doesn't work.
FZR1KG
 

Re: Remote vulnerability in Linux command shell

Postby Sigma_Orionis » Thu Sep 25, 2014 5:38 pm

NIST gave it a rating of 10.0 can't get any worse than that.

On top of that, the patches provided don't fix the whole thing there's a new NIST advisory about it.

This IS a big one, and I agree It's much worse than Heartbleed.

Why is it much worse?

because unlike Heartbleed it's a lot easier to exploit and affects as many or more systems as Heartbleed
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Remote vulnerability in Linux command shell

Postby Cyborg Girl » Thu Sep 25, 2014 5:47 pm

@FZ: Ha, irony! "Shit I have no clue about" probably describes 90% of my posts on web forums.

(More seriously, there is not a single day at work when I actually really feel like I know what I'm doing. It's all entirely by the seat of my pants, all day, every day. The only thing I'm an expert at is Googling.)

@Sigma: yeah, I saw that. :( For the moment we're all SOL. Sigh.
User avatar
Cyborg Girl
Boy Genius
 
Posts: 2138
Joined: Mon May 27, 2013 2:54 am

Re: Remote vulnerability in Linux command shell

Postby FZR1KG » Thu Sep 25, 2014 5:56 pm

Just remember, it's not always fluff. Sometimes you might hit one that's true.
about 10% or less of the time :P

According to Sigma, this one may just be real.
FZR1KG
 

Re: Remote vulnerability in Linux command shell

Postby Sigma_Orionis » Thu Sep 25, 2014 6:16 pm

Fortunately none of my Internet facing stuff has any stuff that needs BASH on it. My web servers either run IIS or Weblogic,
I'm waiting for the BASH developers to make a good enough fix and then it's patching time for at least 20 servers. MEH.
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Remote vulnerability in Linux command shell

Postby Sigma_Orionis » Thu Sep 25, 2014 6:19 pm

Rommie wrote:O, te is magyar vagy? Nagyszeru! :P



Ai don sink zo! :P
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez

Re: Remote vulnerability in Linux command shell

Postby Cyborg Girl » Fri Sep 26, 2014 7:04 pm

I love where this vulnerability crops up though. I mean, web servers! DHCP clients! Wow!

It's only one of the primary rules of UNIX security that you never ever hand unsanitized data from untrusted sources off to the command shell, because the shell may be fooled into doing anything with it. I have a book on shell scripting with a whole chapter basically devoted to this, and you can find documentation about it everywhere, e.g. Perl textbooks telling you to use

system qw(/path/to/command arg1 arg2 ...)

instead of

system("/path/to/command arg1 arg2 ...")

in privileged scripts, because the latter runs the command via the shell, which usually means someone could get an interactive root shell with a little cleverness.

The "shellshock" vulnerability is that bash can be made to execute stuff in an environment variable. But to export an environment variable to bash, you have to actually run bash. Which a web server should never do by design, but Apache (on UNIX) does just that apparently.
User avatar
Cyborg Girl
Boy Genius
 
Posts: 2138
Joined: Mon May 27, 2013 2:54 am

Re: Remote vulnerability in Linux command shell

Postby Cyborg Girl » Fri Sep 26, 2014 8:09 pm

The circus continues:

http://seclists.org/oss-sec/2014/q3/741

Fedora 20 is not vulnerable to the new variant. Ubuntu 12.04 is. Not sure yet about 14.04.

@Sigma, I hope you have some antacids on hand... As for me, I'm thinking maybe I should train for a different job. I hear that goat herding isn't bad...
User avatar
Cyborg Girl
Boy Genius
 
Posts: 2138
Joined: Mon May 27, 2013 2:54 am

Re: Remote vulnerability in Linux command shell

Postby Sigma_Orionis » Thu Nov 13, 2014 11:56 pm

Most of my stuff is patched already, still looking for a maintenance window for my VMWARE hosts, because patching the command interpreter requires a reboot :roll:
Sic Transit Gloria Mundi
User avatar
Sigma_Orionis
Resident Oppressed Latino
 
Posts: 4496
Joined: Mon May 27, 2013 2:19 am
Location: The "Glorious Socialist" Land of Chavez


Return to Sci-Tech… and Stuff

Who is online

Users browsing this forum: No registered users and 22 guests