ShellShock!, More security holes (remote code execution through bash)

[sleemanj]

The first thing to know, is this is a bad bug.  Really nasty.  Nastier than heart bleed.

The second thing to know, it is NOT a privilege escalation bug (in itself, but once you can run something on a server you have a vector to perform some other attacks against other things to escalate perhaps... keep your systems patched guys), you can't use this (on it's own) to get root.  Of course, if your mental enough to run your web server as root that's a different matter, mentals shouldn't be server admins.

"CGI" is affected, but do not be fooled "I don't use bash CGI therefore safe" - if your, for example PHP, or perl or .... calls out with system() type commands which use a shell and the shell is bash, those dodgy env variables could get pushed through and executed.  Once the variables have been injected to the web server, then anywhere in that process that bash could fire up is potentially a problem, it doesn't necessarily need to be a bash script CGI.  If somebody looks and finds such a vector in say, wordpress, boy, that'd make for a fun time.

SSH is affected but this is really only of interest when your SSH session is normally command-restricted (that is, you have one command that it runs, or some set thereof), again, it's not giving somebody access to a server they didn't have access to already (I think) but it could give them the ability to run some command that they wouldn't normally be able to (but still have unix permissions which allow them to outside of SSH, so can't be that much of a problem).

[Marco]

3. local users ? once the user is logged in , the user can execute anything under his shell - if he prefer to craft a creepy environment variable containing his command and calling a sub-shell to execute it instead of writing the command directly...... well... if he likes it that way - i don't give a shit this bug is NOT elevating any privileges.

It doesn't need too, there's never any shortage of them.

[amyk]

https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/

Now you should start worrying...

DHCP via bash scripts? WhoTF thought that was a sane idea?

[madires]

https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/

Now you should start worrying...

DHCP via bash scripts? WhoTF thought that was a sane idea?

Simply change your default shell (/bin/sh) and check the dhcp hook scripts. AFAIK most linux distributions don't use bash as default shell anyway.

[rob77]

https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/

Now you should start worrying...

DHCP via bash scripts? WhoTF thought that was a sane idea?

Simply change your default shell (/bin/sh) and check the dhcp hook scripts. AFAIK most linux distributions don't use bash as default shell anyway.

many distributions have the /bin/sh privided by a symlink to bash...

but anyways.... how many of you guys are using linux as a primary os on your laptops and connecting to UNKNOWN networks with it ? how many of you are running CGI scripts written in shell ?

everyone is screaming and spreading FUD, while the severity of the issue is almost none for most of the linux installations.

if you are afraid, then either install a patch (most of the vendors released the patches) or install a different shell and deinstall bash.

[tggzzz]

if you are afraid, then either install a patch (most of the vendors released the patches) or install a different shell and deinstall bash.

Where do I get the patch for my wireless router, smart TV, printer etc etc?

Yes, I know these are behind my firewall and GRC reports limited external access, but all they need is one way into my network...

[Monkeh]

if you are afraid, then either install a patch (most of the vendors released the patches) or install a different shell and deinstall bash.

Where do I get the patch for my wireless router, smart TV, printer etc etc?

Yes, I know these are behind my firewall and GRC reports limited external access, but all they need is one way into my network...

What makes you think you need a patch?

[tggzzz]

if you are afraid, then either install a patch (most of the vendors released the patches) or install a different shell and deinstall bash.

Where do I get the patch for my wireless router, smart TV, printer etc etc?

Yes, I know these are behind my firewall and GRC reports limited external access, but all they need is one way into my network...

What makes you think you need a patch?

They all contain old unpatched versions of linux including webservers. That's sufficient for concern, and you don't have sufficient knowledge to allay that concern; nobody does.

Welcome to one of the key emerging problems with the "Internet of Things".

[Monkeh]

They all contain old unpatched versions of linux including webservers.

Sure, but as far as this issue goes.. they most likely don't have bash. Very, very few embedded devices do, bash is huge.

That's sufficient for concern, and you don't have sufficient knowledge to allay that concern; nobody does.

.. I have enough knowledge of embedded software not to be concerned about any of mine.

[tggzzz]

They all contain old unpatched versions of linux including webservers.

Sure, but as far as this issue goes.. they most likely don't have bash. Very, very few embedded devices do, bash is huge.

That's sufficient for concern, and you don't have sufficient knowledge to allay that concern; nobody does.

.. I have enough knowledge of embedded software not to be concerned about any of mine.

Sure, there's neither need nor reason for bash to be in embedded systems, but that's not much assurance given the marketing imperative to get products out-the-door "yesterday".

Having witnessed the amount of cruft that has accumulated in networked printers' firmware over time, and having seen the ineptitude of some smart TV manufacturers, I'm not so sanguine.

[rob77]

.. I have enough knowledge of embedded software not to be concerned about any of mine.

 

same here   actually anyone with deep knowledge knows it's not worth of even checking the systems

[Monkeh]

Sure, there's neither need nor reason for bash to be in embedded systems, but that's not much assurance given the marketing imperative to get products out-the-door "yesterday".

Having witnessed the amount of cruft that has accumulated in networked printers' firmware over time, and having seen the ineptitude of some smart TV manufacturers, I'm not so sanguine.

The bulk of them use off-the-shelf embedded distros as a base, these almost exclusively do not include bash.

I agree there's a problem emerging, though. A sane, minimal, and automatically updateable base distro needs to be produced for embedded and 'smart' devices so the manufacturers can focus on their own problems. Unfortunately, this will prove exceedingly hard to get traction with, primarily thanks to embedded hardware manufacturers who refuse to write proper drivers, let alone comply with licensing requirements. There's effectively no useful modem (cable, DSL, or otherwise) running Linux with an open driver in the wild, for example.

If anyone does know of a VDSL2 chipset with an open driver, please, let me know, I have an Isreali turd hanging on my wall I could do without.

[rob77]

Sure, there's neither need nor reason for bash to be in embedded systems, but that's not much assurance given the marketing imperative to get products out-the-door "yesterday".

Having witnessed the amount of cruft that has accumulated in networked printers' firmware over time, and having seen the ineptitude of some smart TV manufacturers, I'm not so sanguine.

that bash have to be oxposed to the internet in order to be a threat how many of you guys have public IP address on your TV, printer whatever ? is your TV even have bash in the firmware ? if yes... it is exposed in any means (cgi, telnet... whatever) ?

so think guys before you state your TVs and printers are in danger

[tggzzz]

Sure, there's neither need nor reason for bash to be in embedded systems, but that's not much assurance given the marketing imperative to get products out-the-door "yesterday".

Having witnessed the amount of cruft that has accumulated in networked printers' firmware over time, and having seen the ineptitude of some smart TV manufacturers, I'm not so sanguine.

that bash have to be oxposed to the internet in order to be a threat

Not true. If there is a compromised machine on your internal network then you are exposed. Or do you think that all machines in a botnet are directly attached to the internet with no firewall?

how many of you guys have public IP address on your TV, printer whatever ? is your TV even have bash in the firmware ? if yes... it is exposed in any means (cgi, telnet... whatever) ?

so think guys before you state your TVs and printers are in danger

Nobody has stated that. Are you?

Don't presume you have thought of all threats (let alone understood them); a decent threat analysis is non-trivial.