‘Shellshock’ Details Unveiled

Tuesday, September 30, 2014 @ 02:09 PM gHale


A security flaw in the GNU Bourne Again Shell (Bash) command interpreter used in Linux and Unix systems ended up disclosed, researchers said.

Given its widespread use and acceptance, this flaw could end up worse than Heartbleed.

RELATED STORIES
Patches Ready for Bash Hole
Nine Security Fixes for OpenSSL
Heartbleed Issues Still Exist
VMware Users Remain at Risk to Heartbleed

The bug, called Shellshock and discovered by Stéphane Chazelas, is available in the command shell versions 1.14 through 4.3. It took more than two decades to end up discovered. Bash sees use in quite a few Linux systems, as well as Mac OS X.

Shellshock poses the risk of remote code execution by abusing the environment variables after processing trailing commands in functions, which opens the door for code injection attacks. All products using Bash to parse values of environment variables are vulnerable.

The shell can end up invoked in many ways by applications, one of them consisting of simply executing a different binary file; and in many cases, it runs in the background for different tasks (executing commands, parsing scripts, remote connection).

Because it is open-source, Linux is an operating system employed in a large number of products, from Apache web servers to home devices such as routers and cameras; and with the Bash bug being around for so long, it has been integrated in a lot of products, which are now at risk of being hijacked.

“Internet-of-things devices like video cameras are especially vulnerable because a lot of their software is built from web-enabled bash scripts,” said security expert Robert Graham in a blog post. “Thus, not only are they less likely to be patched, they are more likely to expose the vulnerability to the outside world,”

According to the vulnerability (CVE-2014-6271) details, OpenSSH and some DHCP clients have issues on systems running Bash. However, it appears that the major attack vector consists of HTTP requests to CGI scripts, used for generating dynamic content on web pages and web apps.

Patching up Bash is of utmost importance and the developers of Ubuntu (14.04 LTS, 12.04 LTS and 10.04 LTS), CentOS (5 through 7) and Debian are already offering the fix.

Red Hat also provided a patch for CVE-2014-6271, but it was incomplete and created a new issue, CVE-2014-7169, which the firm still has to address.

A simple way to test if the Linux/Unix system is vulnerable to Shellshock is to input the following string in the command line:
code
env x='() { :;}; echo vulnerable’ bash -c “echo Shellshock”

A system affected by the bug should return the following:
code
vulnerable
Shellshock

On the other hand, a secure system would reply with:
code
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
Shellshock

The bug is exploitable over the network and the attacker does not require any authentication. Moreover, leveraging the glitch is not difficult and allows unauthorized modifications along with unauthorized disclosure of information and service disruption.

Getting a safe version of Bash on the system should be top priority, especially since proof-of concept (PoC) code for exploiting CGI scripts is already available.



Leave a Reply

You must be logged in to post a comment.