Support NeoGAF

[Jezbollah]

To all Sysadmins out there, please make note of this vulnerability (CVE-2014-6271)

A large number of programs on Linux and other UNIX systems use Bash to setup environmental variables which are then used while executing other programs. Examples of this include Web servers running CGI scripts and even email clients and web clients that pass files to external programs for display such as a video file or a sound file.

In short this vulnerability allows attackers to cause arbitrary command execution, remotely, for example by setting headers in a web request, or by setting weird mime types for example.

To test if your system is vulnerable just try this on bash:

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

If you’re vulnerable it’ll print:

vulnerable
this is a test

If you’ve updated Bash you’ll only see

this is a test

For more information:

https://blog.cloudsecurityalliance.org/2014/09/24/worse-than-heartbleed/
https://securityblog.redhat.com/201...-environment-variables-code-injection-attack/
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
http://www.bbc.com/news/technology-29361794

Hope this is useful to anyone out there.



UPDATE: - Thanks to those who posted the links below:

You need to fix up the double quotes, somewhere 'smart quotes' mangled them.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Found a fix for Ubuntu 10.10
http://techblog.willshouse.com/2014...bash-on-ubuntu-10-10-maverick-fix-shellshock/

Just make sure you log in as root

Here's another if you're 8.04
http://techblog.willshouse.com/2014...bash-on-ubuntu-10-10-maverick-fix-shellshock/

I'm all good!

Apple have released a patch for OS X

http://support.apple.com/kb/DL1769?viewlocale=en_US&locale=en_US

Also available for Mountain Lion:

http://support.apple.com/kb/DL1768

And Lion:

http://support.apple.com/kb/DL1767

 

[badcrumble]

lol this is in so many things that are never, ever getting patched

 

[shuri]

This is pretty goddamn dramatic, but it seems that if I understand well, it can only REALLY work _remotely_ when used on sites using cgi scripts that invokes bash.

my linux shell is only running irssi, so I guess i'm pretty safe.

edit: wait no, this affects openssh too; but i dont think that anyone could remotely run this as some sort of argument in a ssh connection query?

edit2: it affects everything. SHUT DOWN EVERYTHINNNNG

 

[NekoFever]

Funny how this isn't getting nearly as much press as Heartbleed when it's potentially much worse.

Heartbleed allowed someone to grab a random snippet of data from a system, but only ones running OpenSSL and, of those, only ones running versions released in a window of a couple of years. Something like 500,000 systems total.

This allows an attacker to do anything on an affected system, and it affects any Linux or UNIX system running any version of bash from the last 25 years, which is basically all of them. That's more than half of all web servers, Linux systems, Macs, etc. Hundreds of millions of systems.

Popular distros and OS X will get patched quickly, but what about all the embedded Linux systems on routers, NAS boxes, old file servers, etc that never get updated?

 

[shuri]

The Apocalypse Horns are now blaring at my workplace about this. Sooo many devices, so many machines, so many servers.

 

[Blizzard]

A couple more links for reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
https://marc.info/?l=oss-security&m=141157106132018&w=2

And shuri, your picture URL is censored, but I wish I had Apocalypse Horns. Those sound awesome.

 

[Jezbollah]

Another bit of info:

http://www.theregister.co.uk/2014/09/25/shell_shocked_not_yet/

Researcher Robert Graham has so far dug up 3,000 vulnerable systems by scanning port 80 on the root URL, and said the bug was "clearly wormable".

His figures should increase quickly since that only one in 50 web servers respond correctly without the proper Host field.

"Scanning with the correct domain names would lead to a lot more results -- about 50 times more," Graham writes.

Graham adds: "Secondly, it's things like CGI scripts that are vulnerable, deep within a website (like CPanel's /cgi-sys/defaultwebpage.cgi). Getting just the root page is the thing least likely to be vulnerable. Spidering the site, and testing well-known CGI scripts (like the CPanel one) would give a lot more results, at least 10x [more]."

He also writes that embedded web servers on odd ports "are the real danger" as well other services like the DHCP service reported in the initial advisory.

"Consequently, even though my light scan found only 3000 results, this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems," Graham said.

"One key question is whether Mac OS X and iPhone DHCP service is vulnerable – once the worm gets behind a firewall and runs a hostile DHCP server, that would 'game over' for large networks."

He agrees Shell Shock was more severe than the OpenSSL HeartBleed vulnerability reported in April and warned that while primary servers were likely not vulnerable, "everything else probably is".

"Scan your network for things like Telnet, FTP, and old versions of Apache (masscan is extremely useful for this). Anything that responds is probably an old device needing a bash patch. And, since most of them can't be patched, you are likely screwed."

 

[Blizzard]

A couple more links for reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
https://marc.info/?l=oss-security&m=141157106132018&w=2

And shuri, your picture URL is censored, but I wish I had Apocalypse Horns. Those sound awesome.

Rehosted for you:

 

[itxaka]

Funny how this isn't getting nearly as much press as Heartbleed when it's potentially much worse.

Heartbleed allowed someone to grab a random snippet of data from a system, but only ones running OpenSSL and, of those, only ones running versions released in a window of a couple of years. Something like 500,000 systems total.

This allows an attacker to do anything on an affected system, and it affects any Linux or UNIX system running any version of bash from the last 25 years, which is basically all of them. That's more than half of all web servers, Linux systems, Macs, etc. Hundreds of millions of systems.

Popular distros and OS X will get patched quickly, but what about all the embedded Linux systems on routers, NAS boxes, old file servers, etc that never get updated?

Routers and nas probably use plain sh instead of bash

 

[Blizzard]

Routers and nas probably use plain sh instead of bash

Is there a plain sh? Depending on the operating system I would expect sh to redirect to bash, busybox, ash, dash, zsh, etc.

 

[Fireblend]

Already updated my systems. It's nice to work at a place with competent sysadmins

 

[SirCheese]

I'm surprised this thread isn't getting more replies. It's a huge potential threat, but I guess GAFers are more concerned about their phones bending.

Just spent an hour educating myself about different Linux shells and trying to find out if my router at home is vulnerable. At work, so can't do the test.

Btw, does anyone know if ElementaryOS is running Bash? What I've read seems to indicate that is running Dash, since it's based on Ubuntu.

 

[Liu Kang Baking A Pie]

I'm surprised this thread isn't getting more replies. It's a huge potential threat, but I guess GAFers are more concerned about their phones bending.

What would average people say about it?

 

[kingslunk]

I'm surprised this thread isn't getting more replies. It's a huge potential threat, but I guess GAFers are more concerned about their phones bending.

Just spent an hour educating myself about different Linux shells and trying to find out if my router at home is vulnerable. At work, so can't do the test.

Btw, does anyone know if ElementaryOS is running Bash? What I've read seems to indicate that is running Dash, since it's based on Ubuntu.

Average people don't understand the extent of this probably.

 

[Slavik81]

Funny how this isn't getting nearly as much press as Heartbleed when it's potentially much worse.

Heartbleed allowed someone to grab a random snippet of data from a system, but only ones running OpenSSL and, of those, only ones running versions released in a window of a couple of years. Something like 500,000 systems total.

This allows an attacker to do anything on an affected system, and it affects any Linux or UNIX system running any version of bash from the last 25 years, which is basically all of them. That's more than half of all web servers, Linux systems, Macs, etc. Hundreds of millions of systems.

Popular distros and OS X will get patched quickly, but what about all the embedded Linux systems on routers, NAS boxes, old file servers, etc that never get updated?

This only can be used against systems that put data from the internet into environment variables and then call a bash script. Heartbleed leaked private data from basically anything that used OpenSSH.

 

[kingslunk]

This only can be used against systems that put data from the internet into environment variables and then call a bash script. Heartbleed leaked private data from basically anything that used OpenSSH.

OpenSSL.

Anything that touches environment vars or gets called by the shell is affected.

 

[Dougald]

Pushed out the patches first thing this morning, thank you configuration management

 

[kingslunk]

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

good article about it.

 

[Slavik81]

OpenSSL.

Anything that touches environment vars or gets called by the shell is affected.

Sorry. I meant OpenSSL. Though, OpenSSH was also affected; it uses OpenSSL.

And I do reiterate that not everything that touches environment variables or gets called by the shell is affected. The server is onpy compromised if the attacker can set the contents of environment variables then start a new instance of bash.

It's a big problem, yes, but the list of working attacks based on this vector is still rather low compared to heartbleed. Hitting old CGI webservers are the only proven attacks I've seen thus far.

 

[Darkangel]

Makes you wonder what other security threats are just lying around undiscovered.

Spoiler

Hopefully undiscovered...

 

[Schrade]

If anyone was wondering, DD-WRT uses Busybox and not bash so it's safe.

 

[_Ryo_]

How would you go about this test on Linux Mint 17?

I've entered the test into the terminal but it doesn't really give any result. Is it because Linux Mint 17 uses Dash or that it's already patched?

For reference here is the output

Input:

ryo@ryo-pc-2045 ~ $ env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

Output:

>

 

[Jobiensis]

How would you go about this test on Linux Mint 17?

I've entered the test into the terminal but it doesn't really give any result. Is it because Linux Mint 17 uses Dash or that it's already patched?

For reference here is the output

Input:

Output:

You need to fix up the double quotes, somewhere 'smart quotes' mangled them.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

 

[Slavik81]

You seem to have some unicode symbols instead of standard quotes in your command.

Microsoft Office likes to replace " and - with fancier-looking symbols. Be very careful when copying or pasting shell commands in Outlook or Word. It's a common cause of those sorts of problems.

 

[Jobiensis]

So it is only bash and not dash?

 

[_Ryo_]

You need to fix up the double quotes, somewhere 'smart quotes' mangled them.

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Input:

ryo@ryo-pc-2045 ~ $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

Output:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

Hmm.

Linux Mint forums says to just use MintUpdate and I've already done so.

 

[Dicer]

dicer@Alienware-X51:~$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

dicer@Alienware-X51:~$ bash --version
GNU bash, version 4.3.11(1)-release (x86_64-pc-linux-gnu)
Copyright (C) 2013 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

Seems, I am o.k. for the moment, IT admins must be pulling hair out right now I imagine....

 

[zoku88]

And this is why you should use zsh instead.

Kidding, I'm sure if more people used zsh, there would be some horrible bug found.

 

[ricki42]

Average people don't understand the extent of this probably.

I think a lot of people still hear 'Linux' and think 'that weirdo computer thing geeks play around with in the basement'.

What surprises me is that this wasn't found earlier. There are enough people using bash, I would have expected somebody to stumble across this far sooner.

 

[Dicer]

I think a lot of people still hear 'Linux' and think 'that weirdo computer thing geeks play around with in the basement'.

What surprises me is that this wasn't found earlier. There are enough people using bash, I would have expected somebody to stumble across this far sooner.

It may have been, not everyone wants these holes plugged up...

 

[AbortedWalrusFetus]

Soooo glad I work in a Windows shop today.

 

[Dougald]

Soooo glad I work in a Windows shop today.

It took me under 5 minutes to push this patch to several hundred Unix machines

 

[BaBaRaRa]

a moment of silence, please, for every sysadmin working long into the night, cursing their boss for still 'considering' that puppetdb proposal they wrote a year ago

 

[Schrade]

Soooo glad I work in a Windows shop today.

Yeaaaah.

Windows has so many other problems and it's so goddamn easy to just update stuff on Unix. All you do is push an updated binary. Boom, done.

 

[Dicer]

Soooo glad I work in a Windows shop today.

Opposed to the other 364 days of the year?

 

[BaBaRaRa]

It took me under 5 minutes to push this patch to several hundred Unix machines

Could you exploit this bug to run `yum update` on machines?

 

[Tacitus_]

It took me under 5 minutes to push this patch to several hundred Unix machines

Hey let the man enjoy his day of peace. He still has the rest of the year to get through.

 

[AbortedWalrusFetus]

Opposed to the other 364 days of the year?

Pretty much.

 

[Elfforkusu]

Could you exploit this bug to run `yum update` on machines?

Only if you had a privilege escalation exploit handy too.

 

[MartyStu]

Is there a plain sh? Depending on the operating system I would expect sh to redirect to bash, busybox, ash, dash, zsh, etc.

Yes there is. Most systems have one.

 

[Technosteve]

bash: x: line 0: syntax error near unexpected token `{:'
bash: x: line 0: `x () {:;}; echo vulnerable'
bash: error importing function definition for `x'
this is a test

let me just copy and paste from the OP double test it.

 

[Technosteve]

vulnerable
this is a test

how do i update my bash shell? in OS X terminal?

 

[Dicer]

vulnerable
this is a test

how do i update my bash shell? in OS X terminal?

Apple "should" push an update for this...but seeing as how their last update went...I kid I kid

http://www.tomsguide.com/us/shellshock-osx-linux,news-19614.html

Red Hat has already released its own patches that fix this flaw.

There don't appear to be any exploits related to this bug in the wild yet, but the flaw offers an opportunity for miscreants to attack OS X and desktop Linux, not to mention countless server builds. If Apple, Ubuntu, Mint, Debian or other Linux developers release operating-system updates this week, be sure to install them.

 

[MartyStu]

I will say that if you expose a bash-based CGI service out onto the web, you sort of deserve this.

 

[Syriel]

And this is why you should use zsh instead.

Kidding, I'm sure if more people used zsh, there would be some horrible bug found.

It may impact zsh as well.

And for people asking why this is a big deal...

User-Agent: () { :; }; /bin/cat /etc/shadow

You can do a lot of stuff with an open command line.

 

[Dougald]

It may impact zsh as well.

And for people asking why this is a big deal...

User-Agent: () { :; }; /bin/cat /etc/shadow

You can do a lot of stuff with an open command line.

This is also why you don't run shit as root when you don't need to

 

[Syriel]

This is also why you don't run shit as root when you don't need to

Sadly, not all follow best practices.

Doubly so when it comes to "Smart" devices. That's a nice botnet-in-waiting.

 

[Dougald]

Sadly, not all follow best practices.

Doubly so when it comes to "Smart" devices. That's a nice botnet-in-waiting.

Best practices? But that sounds like too much effort. It was patched quickly anyway!

Spoiler

sarcasm

 

[mnannola]

vulnerable
this is a test

how do i update my bash shell? in OS X terminal?

This seems to work if you have xcode installed:

http://apple.stackexchange.com/questions/146849/how-do-i-recompile-bash-to-avoid-the-remote-exploit-cve-2014-6271-and-cve-2014-7

 

[Gemüsepizza]

Makes you wonder how many similar or worse vulnerabilities are hidden in the 200 million lines of codes a typical linux distro has. Not that other operating systems are any better. This stuff is just so incredibly complex and there are so many people involved, that I don't really have much trust in the security of modern software anymore.