Bash 'shellshock' bug is wormable (opens in new tab)

(blog.erratasec.com)

299 pointsjgannonjr11y ago147 comments

147 comments

fabulist11y ago

Test your local machine:

export evil='() { :;}; echo vulnerable'; bash -c echo;

Vulnerable computers will print 'vulnerable'.

Test a CGI:

curl -i -X HEAD "http://website" -A '() { :;}; echo "Warning: Server Vulnerable"'

Vulnerable scripts will emit a "Warning" header. If you get a 405 error, try it with a GET request.

I don't know the PoC fo new version which wiggles around the patch.

I've tried the PoC on ksh, csh, and dash; if they're effected, its more nuanced. Its advisable to rename bash, and replace it with a symlink to dash; it shouldn't break any scripts, and even if it does its better than getting owned.

mv /bin/bash /bin/_bash

chmod ugo-x /bin/_bash

ln -s /bin/dash /bin/bash

agwa11y ago

> Its advisable to rename bash, and replace it with a symlink to dash; it shouldn't break any scripts

It most certainly will. dash provides a tiny subset of bash's functionality. Even scripts using #!/bin/sh often contain bashisms; a script using #!/bin/bash is certain to contain bashisms.

If you really want to swap out bash, swapping it out with ksh is likely to break fewer scripts (though it could still break scripts - ksh and bash are similar but not the same - so I don't recommend you do this).

And neither dash nor ksh have this "feature" of exporting functions through environment variables.

fabulist11y ago

You're right, and I didn't find this out until after I couldn't edit my post. My mistake.

I still contend that its a good idea. Most shell scripts used by the OS are written to dash in my experience; if you break ones you've added yourself, this is perhaps a good opportunity to review their security.

rsync11y ago

Actually, the first test would be 'which bash', since not all systems have it installed by default.

Notably, FreeBSD, which has never included it by default.

valamit11y ago

    bash: warning: evil: ignoring function definition attempt
    bash: error importing function definition for `evil'

would mean it's not?

yoha11y ago

That's the message you get on a patched machine. However, the patch is not sufficient: https://news.ycombinator.com/item?id=8365216 .

2 more replies

patio1111y ago

Yep. We're currently basically waiting to see which completes first: a) a patch for bash which actually works gets released and then trickles into the various ways to get it on every machine in the world or b) someone writes ~10 lines of payload code (download rootkit, execute, connect to IRC channel, join botnet, etc) and then just hits everything in IP4 space with a for loop. Optionally, the for loop gets distributed to new nodes joining the bot net.

If you cannot say "I run no Linux/Unix/MacOS/compatible/etc machine which connects other machines" you should be at battle stations right now. We're all racing against a for loop and the for loop will probably have a head start.

cperciva11y ago

I run no Linux/Unix/MacOS/compatible/etc machine which connects other machines

How about "I don't run bash"? There are other perfectly good shells, you know...

quesera11y ago

Or "I don't run UNIXes that default to bash, or hide it under /bin/sh, etc."

Unfortunately, bash shows up in surprising places, including default Solaris installs nowadays.

On OSX and Solaris, I've chmod'ed 0000 /bin/bash with no apparent ill effect so far. I'll put more effort into establishing its acceptability as a solution tomorrow.

BSDs won't have bash unless someone has gone out of their way to install it, which can be undone straightforwardly.

But it could be a long night for our Linux brethren and sistren.

Good luck, and remember to stay hydrated. :)

EDIT: obviously, don't chmod 0000 your login shell! Fix that first. Make sure whatever you switch to isn't a symbolic or hard link to bash.

1 more reply

patio1111y ago

You and Thomas can ignore everything I say about security. J. Random Rails Developer, on the other hand, probably gets useful signal if I start panicking. (Am I panicking? YES.)

inportb11y ago

I suspect that many folks who "don't run bash" actually do use bash quite a bit, e.g. in initscripts and various software packages.

1 more reply

wiredfool11y ago

Someone is going to be going through busybox soon, and then there (potentially) will be a whole bunch more exploitable boxes that don't have a generally have a regular update cycle.

1 more reply

count11y ago

As you well know, as long as your system doesn't use bash for anything, even implicitly :) Many folks are thinking that just because they switched their user's login shell to 'ksh' to be one of the cool ruby kids, that they're safe.

bodyfour11y ago

It won't be as simple as scanning all IP4 space because for most vulnerable hosts you still will need to know a URL of a cgi program that can cause bash to be executed (either because they're written in shell or, more likely, that there is some path found that can cause popen()/system()/etc to be called) If you read Robert Graham's blog post about his scan for this (posted to HN earlier today) he mentioned that the hosts he found by just looking at the root URL are probably a tiny subset of what's really out there.

What we'll probably see is lots of blackhats looking at common CGI-based packages, finding a way to provoke an exploit using that, and then doing an IPv4 scan exploiting just that one. There will also be a long-tail of people mounting more directed attacks against URLs they suspect are CGI based.

patio1111y ago

I think you underestimate attack vectors. d6c477a79ea7a633c2bb0e358e32399c1b18eb7d <-- Will ruin 1+ HNers' day sooner rather than later if they don't patch. Successful exploit doesn't require the exploit writer even knowing that vector existed to say nothing of successfully guessing a URL.

2 more replies

_xnmw11y ago

What about using the exploit to remotely patch machines?

smellf11y ago

That's a very cool idea.

donw11y ago

Ubuntu 10.04LTS - 14.04LTS appears to be patched: http://www.ubuntu.com/usn/usn-2362-1/

Logging into my server, things look good -- this is why you turn on automatic security updates. :)

timv11y ago

That update appears to only patch CVE-2014-6271 and not CVE-2014-7169 ( See: https://news.ycombinator.com/item?id=8365158 )

Although 7169 appears to be more difficult to exploit than 6271, you're not out of the woods until a patch gets distributed (+applied!) that covers both CVEs.

1 more reply

eah1311y ago

Honest question: does this mean this vulnerability has been in bash for essentially its entire history and someone only discovered it now?

Seems quite likely that someone would have discovered it sooner, especially since it's so simple to exploit.

patio1111y ago

Ease of exploitation and ease of discovery have basically nothing to do with each other.

Relatedly, "many eyes makes all bugs shallow" is, and always has been, totally horsepuckey. (And despite it being horsepuckey, and horsepuckey which is trivially exploitable in that if you believe it you'll produce software which can get owned by people who are better at e.g. counting to four than you are, people still believe it to this day.)

gioele11y ago

> Relatedly, "many eyes makes all bugs shallow" is, and always has been, totally horsepuckey.

Consider that the contraction of the more complete saying "Many eyes make bugs shallower than they would be if there were only few eyes".

2 more replies

robertgraham11y ago

This has been there for nearly the entire history of Bash, like 2 decades.

dustingetz11y ago

I have a macbookpro which is my developer workstation. It is in a default configuration, it is on 12 hours a day, always behind a NAT. What do I need to do to protect myself?

ProCynic11y ago

update bash (https://apple.stackexchange.com/questions/146849/how-do-i-re...) or switch to a different system default shell until bash is updated.

maldeh11y ago

Keep in mind that /bin/sh is bash on OS X. So if you have any scripts with the #!/bin/sh preamble you'll have to replace the default sh too.

bodyfour11y ago

Just apply the security updates as they arrive from Apple. The highest-risk activities like running a webserver hosting CGI scripts isn't likely to apply to you. I can't say for certain nobody will find a clever client-side attack for OS/X but right now you don't need to join in the panic that many sysadmins are (rightly) feeling today.

ams611011y ago

Are you running any remotely-accessible services? If not, I'd just wait for the next OSX update from Apple.

blocke11y ago

Rogue DHCP servers should not be a problem in any decently engineered enterprise or college campus network. Cisco switches have included DHCP snooping for years which when used only allows authorized switch ports to act as a DHCP server. Any decent enterprise wireless platform should either have transparent firewall functionality to block client DHCP responses or an equivalent to DHCP snooping.

If you've properly deployed these tools you've greatly limit the potential impact of a DHCP based worm.

Home router? Anyone test this against Linksys junk yet?

zaroth11y ago

Shellshock is a perfect name coming after Heartbleed. But this bug is suffering from lack of marketing, lagging in the news behind the iOS update being pulled.

It's sad to see an RCE somewhere so widespread and so interwoven with other software. It's also costly because now I'm questioning server integrity, thinking about what should really be re-imaged. I assume there are many more like this in the CVE pipeline...

At some point I just have to live with the fact that outside access is possible to anyone so motivated.

piratebroadcast11y ago

Shellshock Bug Logo - http://imgur.com/vlriele

prawn11y ago

Front page of the site of one of the major Australian newspapers: "Largest bug ever hits the internet"

I think it will start to make its way out to the public with a bit more time.

zaroth11y ago

I'm sure they've picked up now that the patch was bad. Should be an interesting day.

Wow the comments there are...

1 more reply

Animats11y ago

What about simply disabling CGI in Apache? If you're not using it, turn it off. Use "--disable-cgi" at Apache launch. This will break some "control panels", but you probably shouldn't be using a CGI-based control panel in 2014 anyway.

TheSoftwareGuy11y ago

I didn't realize iOS and OS X DHCP could be vulnerable. This just went from "Man a lot of other people should be worried about this" to "shit, shit, shit, shit, shit", since I don't run a web server.

sjy11y ago

Have you got a source for OS X DHCP being vulnerable? OS X has a copy of bash at /bin/sh so it's pretty vulnerable if you can find a way to remotely set environment variables and call system().

TheSoftwareGuy11y ago

It was in the article linked. at the bottom it mentioned them

1 more reply

95014_refugee11y ago

iOS systems (unless jailbroken) do not have a shell of any sort; bash or otherwise.

tdicola11y ago

As someone who just runs an Ubuntu 14.04 desktop machine without any web server should I be concerned? I don't really see how anyone could remotely execute bash on my system.

LeoPanthera11y ago

It's hard, but not impossible. Apparently your DHCP client passes responses from the DHCP server to bash.

Let's say, for the sake of argument, that your ISP's DHCP server is compromised. A worm could then spread to your system from it.

This is entirely hypothetical, but not impossible.

pbhjpbhj11y ago

What responses does it pass, does it not sanitise them? Can anyone link to details of what DHCP does that's relevant here? Thanks.

1 more reply

justincormack11y ago

to bash? or to /bin/sh? Or the user shell? On Ubuntu you are fine unless it explicitly calls bash or (unlikely) uses the user shell.

tdicola11y ago

Ouch, what a mess. Thanks for the warning.

girvo11y ago

Is it connected to the internet? Then patch it. While you can't think of anything that could remotely execute it, you'd be damn surprised how large the attack surface is for this exploit, and how flexible it is. It's a Big Deal(TM). Everything in a Linux system uses bash (hyperbole, but not too far from the truth), and all it takes is one of those not sanitizing input and it's game over :(

Basically, it may not be as immediately exploitable for desktop systems without a web-server as other bugs have been, but I wouldn't be surprised to see something pop-up in the near future.

tdicola11y ago

Yeah, the annoying thing is it sounds like there isn't a full patch yet and new vulnerabilities are being discovered. Just trying to understand if I should shut the machine down until everything is sorted out.

1 more reply

freakonom11y ago

The ecosystem of linux software that shells out to bash is ridiculous, and coercing an env var is a very light requirement.

Virtually any software that takes input from the internet can be a target, and enumerating the combination of versions and configurations is futile. We all need a working bash patch.

Not running a webserver protects against GET spray-n-pray, but you shouldn't feel safe.

grimtrigger11y ago

Could anyone provide a simplified explanation for what this is and what it means?

amalcon11y ago

This is a completely bonkers, Slammer-level hair-on-fire vulnerability. Remember Heartbleed? This is much worse. If you have a computer with an OS other than Windows or Android, your safest bet is to unplug it from the Internet until the bash developers figure this all out.

grimtrigger11y ago

And my servers? Is there anything I can do without taking them offline?

2 more replies

hamstergene11y ago

I'm really surprised how many people out there write CGI in Bash. That's one of the things which would have never crossed my mind.

sophacles11y ago

It's less about writing CGI in bash, and more about writing CGI, then eventually calling system() from within the CGI program.

This is very common, particularly with monitoring pages, etc.

aus_11y ago

Shellshock is also "reverse-shell-able". This Python script relies on /dev/tcp which is not available by default on some distros. (Source: @ortegaalfredo) But you could probably rework it to use netcat.

http://pastebin.com/raw.php?i=166f8Rjx

btown11y ago

From one of the comments:

> The question isn't whether a CGI is written in bash, but if it calls out to bash no matter how indirectly. Lots of things use the system() libc function, so if /bin/sh is bash it's game over.

Is this true? Which systems are vulnerable to this by default?

hackcasual11y ago

I think you need that + the ability to add anything to an environment variable. Not sure how easy that is.

edit: reading this looks like its exploiting CGI scripts, presumeably through the host header

fabulist11y ago

Setting an environment variable is often pretty easy, but the Host: header is the wrong way to go. The webserver will usually ignore a bad Host: header. User-agent: is much more availing.

1 more reply

deanclatworthy11y ago

Can anyone outline some clear steps for those of us on Debian Squeeze who have not yet got a patch?

thaumaturgy11y ago

Yes, you can switch to squeeze-lts and then update just bash. First, add the following two lines to your /etc/apt/sources.list:

    deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
    deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

(you do not need to change or remove any other lines from sources.list).

Then run the following command:

    apt-get update && apt-get install --only-upgrade bash

...which will update your apt sources (but not your installed software) and then will upgrade bash and only bash.

deanclatworthy11y ago

Thank you. This worked.

lemming11y ago

I just did this and got no upgrades.

1 more reply

dholl11y ago

I got tired of the hype. How's the following code for a mitigation?

Basically, if some program does invoke /bin/bash, control first passes to this code which truncates suspicious environment variables. (and it dumps messages to the system log if/when it finds anything...)

The check should match for any variety of white space:

=(){

=() {

= ( ) {

etc... but feel free to update it for whatever other stupid things bash allows.

The code is at http://ad5ey.net/bash_shock_fix.c

Simple usage:

cd /bin

gcc -std=c11 -Wall -Wextra bash_shock_fix.c -o bash_shock_fix

mv bash bash.real

ln -s bash_shock_fix bash

phoenix(pts/1):~bin# ls -al bash*

lrwxrwxrwx 1 root root 14 Sep 27 00:23 bash -> bash_shock_fix

-rwxr-xr-x 1 root root 1029624 Sep 24 14:51 bash.real

-rwxr-xr-x 1 root root 9555 Sep 27 00:23 bash_shock_fix

-rw-r--r-- 1 root root 2990 Sep 27 00:23 bash_shock_fix.c

phoenix(pts/1):~bin#

schniggie11y ago

CVE-2014-6271 cgi-bin reverse netcat shell

https://gist.github.com/schniggie/5eeeb8ac943b5c2bb356

verroq11y ago

Approximate 0% of production systems have netcat. Just pick your favourite one liner from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-ch....

wiredfool11y ago

It's in the cloud images for Ubuntu 14.04.

pdkl9511y ago

This is probably just a local problem in what I will euphemistically describe as my "very highly customized" shell, but... it might be useful to use "/usr/bin/env instad of just plain "env" in that one-liner test for the vulnerability.

(or maybe the "command" builtin instead? It seems to also 'properly' show the vulnerability as well, but I'm not if that would affect the test in some cases)

urs210211y ago

What you can do:

http://apple.stackexchange.com/questions/146849/how-do-i-rec...

If you need a temporary fix until there is a new update - this can prove to be quite useful.

daviddede11y ago

It absolutely is. Specially now with thousands of cPanel servers known to be vulnerable:

http://blog.sucuri.net/2014/09/bash-vulnerability-shell-shoc...

milankragujevic11y ago

Smart little tool to check if your website is vulnerable http://milankragujevic.com/projects/shellshock/ It can also do a deep check that checks many known URLs, not only the home page.

paulpepper11y ago

Is it possible for you to make the source for your test publicly available?

ccvannorman11y ago

Sorry in advance for noobing up this thread, but can you clarify this? As a Mac OS X user who connects to public wifi often, I'm still in the dark about whether I should literally turn off my wifi for now.. or am I safe?

wglb11y ago

The problem comes about if your mac is serving web pages. If you aren't then there is less worry.

Salemzzz11y ago

I think even just using DHCP put your Mac at risk: https://www.trustedsec.com/september-2014/shellshock-dhcp-rc...

1 more reply

walterbell11y ago

What are the best OS-specific alternatives to bash, which could be linked to /bin/sh until bash fixes are stable?

cperciva11y ago

On FreeBSD, /bin/sh is a good alternative to bash.

stephenr11y ago

On Debian /bin/sh is already provided by Dash

clarry11y ago

On OpenBSD, /bin/sh is a good alternative to bash.

ck211y ago

Patched all the CentOS machines hours ago, whew.

It's on yum now, just yum update

krunkosaurus11y ago

Isn't this all just armchair prophesying? Let's see some screenshots actual exploits from anyone. It's hard to gain access to someone's shell unless it's 1990 and a server is using CGI-BIN. People are retweeting that this is "WORSE THAN HEARTBLEED!!!!111!" but Heartbleed literally left practically every server susceptible. I ran sample exploit code against a number of tests hosts and saw mysql queries and passwords streaming in plain text. Yeah shellshock is a big deal but I've yet to the ground rumble and shake and Y2K x 10000 happen. This seems like a big deal but it actually isn't. Most likely no one can access your shell. Patch and move on.

eropple11y ago

Well, that depends. Are you running Passenger?

http://blog.phusion.nl/2014/09/25/security-advisory-phusion-...

What about the rest of your servers? I can't claim to know that none of mine don't call system() somewhere deep in them.

f00ber11y ago

Oh stop this stupidity already. If you are not running a Web server that spawns bash when serving an HTTP request, then you are NOT vulnerable.

Are you running a Web server that uses CGI scripts written in shell or plain C that uses system() call? If you do, you have had other problems long before.

There are some grumblings about DHCP _client_ setups on Linux passing parameters via environment variables to shell scripts executed by bash, but I am yet to see this. This would be a problem, but probably easily fixable.

No need to panic or even patch anything (as always). If you running servers on your machine and allow inbound connections you should know exactly what those servers are and what they execute on behalf of external users.

This is NOT remotely exploitable.

It's an ad campaign for "security researchers" people.

clarry11y ago

It is hilarious that you claim this is not remotely exploitable in response to a post describing how a very simple and limited scan has already found thousands of vulnerable hosts in a short timeframe.

And I dare say there are lots of admins who do not know exactly what their servers are going to execute because they're using software written by other people. That's why we call them admins, not software developers.

By the way, system() can be used in quite a lot of languages, not just in plain C.

And there are definitely more attack vectors than CGI. CGI is just the most obvious one.

f00ber11y ago

Well, let these _admins_ worry about this. This is of no concern for the moment for a regular Linux or OS X user.

Now, an admin _must_ know every service running on entrusted boxes facing the Internet. CGI scripts hopefully are not common these days. If you run them do stop for other reasons.

So far every "attack vector" implies having shell access to the target machine in some form. No need to panic for majority of people.

2 more replies

bodyfour11y ago

> plain C that uses system() call?

Lots of code uses system()/popen() etc. If no user-controlled input is passed in as an argument, most people would have not considered that a potential vulnerability. More software than you think is going to be affected.

f00ber11y ago

Please give me an example of how somebody not running a Web server and a collection of CGI scripts is affected. A git server? Are you running one of these? Move on, nothing to see for most of us.

1 more reply

regularfry11y ago

Forgive me if I've misunderstood the problem, but isn't, for instance, a perl cgi script which happens to shell out to bash for some incidental functionality also vulnerable? The environment variable should get inherited.

Silhouette11y ago

Yes. Just about anything that winds up running bash with an unsanitized environment that an attacker could influence is potentially vulnerable. The GP poster has no idea what they are talking about.

stripe11y ago

Then this might be news to you:

https://gist.github.com/anonymous/929d622f3b36b00c0be1

j / k navigate · click thread line to collapse

147 comments

fabulist11y ago

Test your local machine:

export evil='() { :;}; echo vulnerable'; bash -c echo;

Vulnerable computers will print 'vulnerable'.

Test a CGI:

curl -i -X HEAD "http://website" -A '() { :;}; echo "Warning: Server Vulnerable"'

Vulnerable scripts will emit a "Warning" header. If you get a 405 error, try it with a GET request.

I don't know the PoC fo new version which wiggles around the patch.

mv /bin/bash /bin/_bash

chmod ugo-x /bin/_bash

ln -s /bin/dash /bin/bash

agwa11y ago

> Its advisable to rename bash, and replace it with a symlink to dash; it shouldn't break any scripts

It most certainly will. dash provides a tiny subset of bash's functionality. Even scripts using #!/bin/sh often contain bashisms; a script using #!/bin/bash is certain to contain bashisms.

And neither dash nor ksh have this "feature" of exporting functions through environment variables.

fabulist11y ago

You're right, and I didn't find this out until after I couldn't edit my post. My mistake.

rsync11y ago

Actually, the first test would be 'which bash', since not all systems have it installed by default.

Notably, FreeBSD, which has never included it by default.

valamit11y ago

    bash: warning: evil: ignoring function definition attempt
    bash: error importing function definition for `evil'

would mean it's not?

yoha11y ago

That's the message you get on a patched machine. However, the patch is not sufficient: https://news.ycombinator.com/item?id=8365216 .

2 more replies

patio1111y ago

cperciva11y ago

I run no Linux/Unix/MacOS/compatible/etc machine which connects other machines

How about "I don't run bash"? There are other perfectly good shells, you know...

quesera11y ago

Or "I don't run UNIXes that default to bash, or hide it under /bin/sh, etc."

Unfortunately, bash shows up in surprising places, including default Solaris installs nowadays.

On OSX and Solaris, I've chmod'ed 0000 /bin/bash with no apparent ill effect so far. I'll put more effort into establishing its acceptability as a solution tomorrow.

BSDs won't have bash unless someone has gone out of their way to install it, which can be undone straightforwardly.

But it could be a long night for our Linux brethren and sistren.

Good luck, and remember to stay hydrated. :)

EDIT: obviously, don't chmod 0000 your login shell! Fix that first. Make sure whatever you switch to isn't a symbolic or hard link to bash.

1 more reply

patio1111y ago

You and Thomas can ignore everything I say about security. J. Random Rails Developer, on the other hand, probably gets useful signal if I start panicking. (Am I panicking? YES.)

inportb11y ago

I suspect that many folks who "don't run bash" actually do use bash quite a bit, e.g. in initscripts and various software packages.

1 more reply

wiredfool11y ago

Someone is going to be going through busybox soon, and then there (potentially) will be a whole bunch more exploitable boxes that don't have a generally have a regular update cycle.

1 more reply

count11y ago

bodyfour11y ago

patio1111y ago

2 more replies

_xnmw11y ago

What about using the exploit to remotely patch machines?

smellf11y ago

That's a very cool idea.

donw11y ago

Ubuntu 10.04LTS - 14.04LTS appears to be patched: http://www.ubuntu.com/usn/usn-2362-1/

Logging into my server, things look good -- this is why you turn on automatic security updates. :)

timv11y ago

That update appears to only patch CVE-2014-6271 and not CVE-2014-7169 ( See: https://news.ycombinator.com/item?id=8365158 )

Although 7169 appears to be more difficult to exploit than 6271, you're not out of the woods until a patch gets distributed (+applied!) that covers both CVEs.

1 more reply

eah1311y ago

Honest question: does this mean this vulnerability has been in bash for essentially its entire history and someone only discovered it now?

Seems quite likely that someone would have discovered it sooner, especially since it's so simple to exploit.

patio1111y ago

Ease of exploitation and ease of discovery have basically nothing to do with each other.

gioele11y ago

> Relatedly, "many eyes makes all bugs shallow" is, and always has been, totally horsepuckey.

Consider that the contraction of the more complete saying "Many eyes make bugs shallower than they would be if there were only few eyes".

2 more replies

robertgraham11y ago

This has been there for nearly the entire history of Bash, like 2 decades.

dustingetz11y ago

I have a macbookpro which is my developer workstation. It is in a default configuration, it is on 12 hours a day, always behind a NAT. What do I need to do to protect myself?

ProCynic11y ago

update bash (https://apple.stackexchange.com/questions/146849/how-do-i-re...) or switch to a different system default shell until bash is updated.

maldeh11y ago

Keep in mind that /bin/sh is bash on OS X. So if you have any scripts with the #!/bin/sh preamble you'll have to replace the default sh too.

bodyfour11y ago

ams611011y ago

Are you running any remotely-accessible services? If not, I'd just wait for the next OSX update from Apple.

blocke11y ago

If you've properly deployed these tools you've greatly limit the potential impact of a DHCP based worm.

Home router? Anyone test this against Linksys junk yet?

zaroth11y ago

Shellshock is a perfect name coming after Heartbleed. But this bug is suffering from lack of marketing, lagging in the news behind the iOS update being pulled.

At some point I just have to live with the fact that outside access is possible to anyone so motivated.

piratebroadcast11y ago

Shellshock Bug Logo - http://imgur.com/vlriele

prawn11y ago

Front page of the site of one of the major Australian newspapers: "Largest bug ever hits the internet"

I think it will start to make its way out to the public with a bit more time.

zaroth11y ago

I'm sure they've picked up now that the patch was bad. Should be an interesting day.

Wow the comments there are...

1 more reply

Animats11y ago

TheSoftwareGuy11y ago

I didn't realize iOS and OS X DHCP could be vulnerable. This just went from "Man a lot of other people should be worried about this" to "shit, shit, shit, shit, shit", since I don't run a web server.

sjy11y ago

Have you got a source for OS X DHCP being vulnerable? OS X has a copy of bash at /bin/sh so it's pretty vulnerable if you can find a way to remotely set environment variables and call system().

TheSoftwareGuy11y ago

It was in the article linked. at the bottom it mentioned them

1 more reply

95014_refugee11y ago

iOS systems (unless jailbroken) do not have a shell of any sort; bash or otherwise.

tdicola11y ago

As someone who just runs an Ubuntu 14.04 desktop machine without any web server should I be concerned? I don't really see how anyone could remotely execute bash on my system.

LeoPanthera11y ago

It's hard, but not impossible. Apparently your DHCP client passes responses from the DHCP server to bash.

Let's say, for the sake of argument, that your ISP's DHCP server is compromised. A worm could then spread to your system from it.

This is entirely hypothetical, but not impossible.

pbhjpbhj11y ago

What responses does it pass, does it not sanitise them? Can anyone link to details of what DHCP does that's relevant here? Thanks.

1 more reply

justincormack11y ago

to bash? or to /bin/sh? Or the user shell? On Ubuntu you are fine unless it explicitly calls bash or (unlikely) uses the user shell.

tdicola11y ago

Ouch, what a mess. Thanks for the warning.

girvo11y ago

Basically, it may not be as immediately exploitable for desktop systems without a web-server as other bugs have been, but I wouldn't be surprised to see something pop-up in the near future.

tdicola11y ago

1 more reply

freakonom11y ago

The ecosystem of linux software that shells out to bash is ridiculous, and coercing an env var is a very light requirement.

Virtually any software that takes input from the internet can be a target, and enumerating the combination of versions and configurations is futile. We all need a working bash patch.

Not running a webserver protects against GET spray-n-pray, but you shouldn't feel safe.

grimtrigger11y ago

Could anyone provide a simplified explanation for what this is and what it means?

amalcon11y ago

grimtrigger11y ago

And my servers? Is there anything I can do without taking them offline?

2 more replies

hamstergene11y ago

I'm really surprised how many people out there write CGI in Bash. That's one of the things which would have never crossed my mind.

sophacles11y ago

It's less about writing CGI in bash, and more about writing CGI, then eventually calling system() from within the CGI program.

This is very common, particularly with monitoring pages, etc.

aus_11y ago

http://pastebin.com/raw.php?i=166f8Rjx

btown11y ago

From one of the comments:

> The question isn't whether a CGI is written in bash, but if it calls out to bash no matter how indirectly. Lots of things use the system() libc function, so if /bin/sh is bash it's game over.

Is this true? Which systems are vulnerable to this by default?

hackcasual11y ago

I think you need that + the ability to add anything to an environment variable. Not sure how easy that is.

edit: reading this looks like its exploiting CGI scripts, presumeably through the host header

fabulist11y ago

Setting an environment variable is often pretty easy, but the Host: header is the wrong way to go. The webserver will usually ignore a bad Host: header. User-agent: is much more availing.

1 more reply

deanclatworthy11y ago

Can anyone outline some clear steps for those of us on Debian Squeeze who have not yet got a patch?

thaumaturgy11y ago

Yes, you can switch to squeeze-lts and then update just bash. First, add the following two lines to your /etc/apt/sources.list:

    deb http://http.debian.net/debian/ squeeze-lts main contrib non-free
    deb-src http://http.debian.net/debian/ squeeze-lts main contrib non-free

(you do not need to change or remove any other lines from sources.list).

Then run the following command:

    apt-get update && apt-get install --only-upgrade bash

...which will update your apt sources (but not your installed software) and then will upgrade bash and only bash.

deanclatworthy11y ago

Thank you. This worked.

lemming11y ago

I just did this and got no upgrades.

1 more reply

dholl11y ago

I got tired of the hype. How's the following code for a mitigation?

The check should match for any variety of white space:

=(){

=() {

= ( ) {

etc... but feel free to update it for whatever other stupid things bash allows.

The code is at http://ad5ey.net/bash_shock_fix.c

Simple usage:

cd /bin

gcc -std=c11 -Wall -Wextra bash_shock_fix.c -o bash_shock_fix

mv bash bash.real

ln -s bash_shock_fix bash

phoenix(pts/1):~bin# ls -al bash*

lrwxrwxrwx 1 root root 14 Sep 27 00:23 bash -> bash_shock_fix

-rwxr-xr-x 1 root root 1029624 Sep 24 14:51 bash.real

-rwxr-xr-x 1 root root 9555 Sep 27 00:23 bash_shock_fix

-rw-r--r-- 1 root root 2990 Sep 27 00:23 bash_shock_fix.c

phoenix(pts/1):~bin#

schniggie11y ago

CVE-2014-6271 cgi-bin reverse netcat shell

https://gist.github.com/schniggie/5eeeb8ac943b5c2bb356

verroq11y ago

Approximate 0% of production systems have netcat. Just pick your favourite one liner from http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-ch....

wiredfool11y ago

It's in the cloud images for Ubuntu 14.04.

pdkl9511y ago

(or maybe the "command" builtin instead? It seems to also 'properly' show the vulnerability as well, but I'm not if that would affect the test in some cases)

urs210211y ago

What you can do:

http://apple.stackexchange.com/questions/146849/how-do-i-rec...

If you need a temporary fix until there is a new update - this can prove to be quite useful.

daviddede11y ago

It absolutely is. Specially now with thousands of cPanel servers known to be vulnerable:

http://blog.sucuri.net/2014/09/bash-vulnerability-shell-shoc...

milankragujevic11y ago

Smart little tool to check if your website is vulnerable http://milankragujevic.com/projects/shellshock/ It can also do a deep check that checks many known URLs, not only the home page.

paulpepper11y ago

Is it possible for you to make the source for your test publicly available?

ccvannorman11y ago

wglb11y ago

The problem comes about if your mac is serving web pages. If you aren't then there is less worry.

Salemzzz11y ago

I think even just using DHCP put your Mac at risk: https://www.trustedsec.com/september-2014/shellshock-dhcp-rc...

1 more reply

walterbell11y ago

What are the best OS-specific alternatives to bash, which could be linked to /bin/sh until bash fixes are stable?

cperciva11y ago

On FreeBSD, /bin/sh is a good alternative to bash.

stephenr11y ago

On Debian /bin/sh is already provided by Dash

clarry11y ago

On OpenBSD, /bin/sh is a good alternative to bash.

ck211y ago

Patched all the CentOS machines hours ago, whew.

It's on yum now, just yum update

krunkosaurus11y ago

eropple11y ago

Well, that depends. Are you running Passenger?

http://blog.phusion.nl/2014/09/25/security-advisory-phusion-...

What about the rest of your servers? I can't claim to know that none of mine don't call system() somewhere deep in them.

f00ber11y ago

Oh stop this stupidity already. If you are not running a Web server that spawns bash when serving an HTTP request, then you are NOT vulnerable.

Are you running a Web server that uses CGI scripts written in shell or plain C that uses system() call? If you do, you have had other problems long before.

This is NOT remotely exploitable.

It's an ad campaign for "security researchers" people.

clarry11y ago

By the way, system() can be used in quite a lot of languages, not just in plain C.

And there are definitely more attack vectors than CGI. CGI is just the most obvious one.

f00ber11y ago

Well, let these _admins_ worry about this. This is of no concern for the moment for a regular Linux or OS X user.

Now, an admin _must_ know every service running on entrusted boxes facing the Internet. CGI scripts hopefully are not common these days. If you run them do stop for other reasons.

So far every "attack vector" implies having shell access to the target machine in some form. No need to panic for majority of people.

2 more replies

bodyfour11y ago

> plain C that uses system() call?

f00ber11y ago

Please give me an example of how somebody not running a Web server and a collection of CGI scripts is affected. A git server? Are you running one of these? Move on, nothing to see for most of us.

1 more reply

regularfry11y ago

Silhouette11y ago

Yes. Just about anything that winds up running bash with an unsanitized environment that an attacker could influence is potentially vulnerable. The GP poster has no idea what they are talking about.

stripe11y ago

Then this might be news to you:

https://gist.github.com/anonymous/929d622f3b36b00c0be1

j / k navigate · click thread line to collapse