Everything you need to know about the Shellshock Bash bug



  • I don't think this has been posted yet,

    GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.




  • Fuck!

    13/4 hours ago? Wow. That topic got buried fast.



  • shoulda discosearched



  • There's so much misinformation being spread that I still don't know /what/ actually is vulnerable. And that article does not help me one bit.

    I know the attack vector. That part is simple.

    But my /bin/sh is not bash, and has not been for years. Which parts of my system are vulnerable? A CGI script on my web server that has a shebang of #!/bin/bash? Scripts that call bash explicitly? How common is that anyway? When exactly are ssh connections vulnerable? Doesn't the user have to pass authentication first?



  • All I can tell is that whatever it is it doesn't seem to affect Windows.

    For once.

    Then again, all the iCloud problems also didn't affect Windows directly, so that's at least 2 security issues that only affect non-Windows systems in the passed month. Hurrah! At this rate we'll have parity between the OSes by 2058!



  • @algorythmics said:

    shoulda discosearched

    ROFL, just searched for "troyhunt". Discosearch says "No results found." but at the same time highlights every occurrence of the searchphrase in this page.

    Days without Discoursebug: 0



  • @Matches said:

    I don't think this has been posted yet,

    WTF!? Dude you were in that thread. You participated! WTF?



  • discotime says his participation in both is 11 hours ago. Discotime doesn't let me identify for certain which came first, but I think we can give matches the benefit of the doubt that he didnt create this thread minutes after replying to the other one...



  • @hhaamu said:

    But my /bin/sh is not bash, and has not been for years. Which parts of my system are vulnerable? A CGI script on my web server that has a shebang of #!/bin/bash? Scripts that call bash explicitly? How common is that anyway? When exactly are ssh connections vulnerable? Doesn't the user have to pass authentication first?

    Welcome to sewage city, you're waist-deep in it.

    Maybe people in the Linux/Unix community will learn that human interfaces (like bash) should not be used by non-humans as APIs. ... but I doubt it.



  • @scrib said:

    All I can tell is that whatever it is it doesn't seem to affect Windows.

    For once.

    The last 3 major exploits haven't affected Windows. Apple's "goto fail;", Heartbleed, and this: Windows doesn't run any of this shitty code.

    This one does have a possibility of affecting Windows, if the Windows user installs shitty open source crap, like GitBash (which is/was affected.)

    I'm not sure what happens if you're using IIS with old-school CGI to run (say) and older PHP on a Windows server, but I assume it fails since that configuration has no Bash anywhere in it.

    @scrib said:

    Then again, all the iCloud problems also didn't affect Windows directly,

    Oh right, so my count's up to 4.

    How many decades do you think this pattern will need to continue before open source idiots drop the "Windows is insecure!!11111!!!!" FUD? My guess: infinite.


  • area_deu

    @blakeyrat said:

    Heartbleed

    Microsoft has software that uses OpenSSL and runs on Windows.



  • @aliceif said:

    Microsoft has software that uses OpenSSL and runs on Windows.

    So do a lot of companies. And yet, Windows itself is not affected.

    The very article you linked says it's a third-party component. Read down to the FAQ section.



  • @blakeyrat said:

    So do a lot of companies. And yet, Windows itself is not affected.

    So is Shellshock a Linux or GNU/Linux sort of problem? It's not like we don't get a steady stream of critical patches coming out on patch Tuesdays.


  • area_deu

    @The Article said:

    shipped in-box as part of the Windows operating system

    Yeah? Still part of the OS.



  • Take a look at those patches. At least they're mildly difficult to attack. Difficult enough that they're not getting their own custom logos and headlines in non-tech newspapers.

    Apple's goto fail and Heartbleed both allowed people to trivially bypass all SSL encryption.

    Shellshock can be used with a simple crafted HTTP request to make 30-50% of all Linux computers run commands on your behalf. (And God only knows how many routers, "smart devices", etc.)

    There's two factors here: number of exploits, and ease of exploit. Microsoft's about on-par on the first, but they're waaay ahead on the second.



  • @aliceif said:

    Yeah? Still part of the OS.

    Nope. Read the FAQ, like I told you to the first time. It's plain as fucking day. I'm not going to do this "uh huh! Nuh uh! Uh huh!" back and forth with an illiterate.

    Even if it was, it doesn't change my point: in the last few years, Windows has been significantly more secure than competing OSes. Even if you somehow read the phrase "third-party" as "PART OF WINDOWS GUYZZZ!!!" that doesn't change my point.



  • It was linked and I went there, I figured this thread would get buried and that one would come up. It's like 10 .. 20 minutes different


  • area_deu

    OpenSSL is third party software to all OSes in the world?



  • Ok I have no patience for pedantic dickweeds.

    Look aliceif, your OS of choice is SHIT. Annoying me with pedantic dickweedery is not going to change the fact that this flaw is moronic, has been around (and exploited? who knows!) for decades, and is EMBARRASSING.

    Why don't you take the effort you're expending making really fucking stupid comments to me on here and instead use that energy to COPE WITH REALITY.



  • @blakeyrat said:

    Ok I have no patience for pedantic dickweeds.

    Look aliceif, your OS of choice is SHIT. Annoying me with pedantic dickweedery is not going to change the fact that this flaw is moronic, has been around (and exploited? who knows!) for decades, and is EMBARRASSING.

    Why don't you take the effort you're expending making really fucking stupid comments to me on here and instead use that energy to COPE WITH REALITY.

    He's funny when he knows he's being an ass.


  • sockdevs

    @blakeyrat said:

    Annoying me with pedantic dickweedery

    it might not change anything, but it is funny, to about 60% of this forum* anyway

    *. by my esitmates, not intended to be an accurate representation of this forum, results subject to change without notice, margin of error is +/- 150%


  • area_deu

    LOL U MAD?
    Sorry, but you throw half-truth-half-lies around.
    I just feel like calling you out on that.

    Of course, you can't possibly imagine that I'm not a Linux zealot. My most used Linux flavour is Android. I have been using Windows at home exclusively in the last few weeks because of a game I bought and I do not hate Windows and I don't preach that Linux is better, I just like using it more than I like using Windows for some reason.

    If you have no patience for pedantic dickweeds, don't reply to them.



  • @aliceif said:

    Sorry, but you throw half-truth-half-lies around.I just feel like calling you out on that.

    Ok. Go for it. Knock yourself out, I can take it.

    Cite just one "half-truth-half-lies" I've "thrown around". In fact, I fucking dare you. I double-dog dare you.



  • @algorythmics said:

    Discotime doesn't let me identify for certain which came first

    If you click on the Discotime (the post timestamp), you can. He posted in the other topic 15 minutes after creating this one.


  • Discourse touched me in a no-no place

    @boomzilla said:

    He's funny when he knows he's being an ass.

    Some days I feel like we should just give him the purple dildo badge and just retire the whole lot of them.


  • sockdevs

    @blakeyrat said:

    Cite just one "half-truth-half-lies" I've "thrown around". In fact, I fucking dare you. I double-dog dare you

    this sounds interesting.

    @aliceif, did you have any particular one in mind?


  • area_deu

    I don't feel like discosearching just to prove a point.


  • sockdevs

    @FrostCat said:

    Some days I feel like we should just give him the purple dildo badge and just retire the whole lot of them.

    wouldn't a donkey based badge be more appropriate?

    maybe something like the royal order of the most high donkeys wearing pants that are way too tight...

    hmm... Ok, so i'm bad at naming things. someone else want to give it a go?



  • Bluff: called.


  • sockdevs

    deciding the game is not worth playing is not conceding the point.

    i've no doubt i too could find something that would back @aliceif's point, but i do not feel the effort would be worth it, partucularly since i won't actually gain anything positive out of the exchange.


  • area_deu

    Even if it was a bluff, it was fun to see you get mad over nothing.
    :heart:



  • You've never seen me mad.


  • Discourse touched me in a no-no place

    @blakeyrat said:

    You've never seen me mad.

    This isn't even his final form.


  • Discourse touched me in a no-no place

    @hhaamu said:

    There's so much misinformation being spread that I still don't know /what/ actually is vulnerable. And that article does not help me one bit.

    What is vulnerable is bash, the Bourne Again Shell, of many different versions. :frowning:

    The problem is that it may be used for all sorts of things (it's pretty common), and since the attack vector is via environment variables (which are inherited by subprocesses) it's hard to be sure what code might be impacted. Systems that alias /bin/sh to /bin/bash are particularly heavily affected, as that means that the standard library calls system() and popen() — pretty commonly used; system() is ANSI C90 — are impacted.

    In mitigation, not that many services pass things specified by an unknown unauthenticated client to suprocesses via environment variables; it was never recommended practice as it was always subject to arbitrary size limits. So unless you've got crappy code (or are using CGI, in which case you're potentially much more exposed, though not automatically) then you're likely in the clear. But as we know too well, there's a lot of crappy code out there…

    The right fix is for bash to have an update to at least not assume that eval of an environment variable is automatically safe… and probably to not pull functions from environment variables at all (though that's a more heavyweight change).



  • @dkf said:

    probably to not pull functions from environment variables at all (though that's a more heavyweight change)

    and would break bash-completion (the lovely thing that inspired intellisense).

    Bash already has an -i option to tell it to optimize its behavior for interactive use. Shouldn't take much to add another shopt telling it whether to define functions from the environment or not, with the default state set from -i.

    I'd expect that to cover 95% of the present use cases for function exporting without any other change to systems, and stop "shell shock" in its tracks.


  • Discourse touched me in a no-no place

    @flabdablet said:

    I'd expect that to cover 95% of the present use cases for function exporting without any other change to systems, and stop "shell shock" in its tracks.

    I never entirely understood why exporting functions via environment variables was a good idea in the first place. If someone really wants them, they'll put them in a file somewhere. But then it's not my design screwup…


  • mod



  • I think the whole "Open Source is more secure!" thing actually goes like this:

    1. Developers argue Open Source is more secure, because if there is a flaw someone will find it.
    2. Developers assume that since it's open source, someone else will be looking through the code.
    3. All developers assume somebody else will look through it.
    4. Because of point 3, no developers actually look through the code (hey, someone else will do it!), and security vulnerabilities remain hidden or unpublished for very long periods of time.
    5. Because of point 2, users and developers assume the code has been vetted and is safe, and the security vulnerabilities get pushed into production systems around the world.


  • That actually sounds like @blakeyrat without the rant, don't let that scare you. Just because it is possible for others to have a look at the code doesn't make it so ...



  • Hand-rolled parsers can hide all sorts of horrors...or did Bash use Lex/Yacc (or Flex/Bison) improperly, somehow?



  • Whereas with closed source, the security is more straightforward:

    3. All developers assume someone else will look through it.



  • At least with closed source, there's a possibility of auditing and usually a QA/QC department, versus Open Source accepting PR's willy-nilly and never bothering to look at anything in detail.


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.