Unix/Linux Go Back    


Security Discuss UNIX and Linux computer and network security, cyber security, cyber attacks, IT security, and more.

'Shell Shock' vulnerability in Bourne shell

Security


Closed    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 09-26-2014
Cochise Cochise is offline
Registered User
 
Join Date: Sep 2014
Last Activity: 19 February 2015, 12:23 PM EST
Posts: 27
Thanks: 8
Thanked 1 Time in 1 Post
'Shell Shock' vulnerability in Bourne shell

A severe vulnerability was discovered in Bourne shell.

Just google for: bash vulnerability
... for more details.
Sponsored Links
    #2  
Old Unix and Linux 09-26-2014
vbe's Unix or Linux Image
vbe vbe is offline Forum Staff  
Moderator
 
Join Date: Sep 2005
Last Activity: 28 April 2017, 3:25 PM EDT
Location: Switzerland - GE
Posts: 6,408
Thanks: 271
Thanked 537 Times in 499 Posts
Not Bourne shell, in Bourne Again... bash
e.g. what Deian says about it:
https://security-tracker.debian.org/.../CVE-2014-6271

Only you are at risk in somehow limited situation I believe:
e.g. Using ssh with ForceCommand option or using SSH_ORIGINAL_COMMAND variable
Sponsored Links
    #3  
Old Unix and Linux 09-26-2014
achenle achenle is offline Forum Advisor  
Registered User
 
Join Date: Jun 2009
Last Activity: 20 April 2017, 7:43 AM EDT
Posts: 996
Thanks: 3
Thanked 147 Times in 142 Posts
Not the way I understand it.

Any environment variable can be used to trigger the vulnerability.

CGI arguments are passed as environment variables (CGI, not fast CGI):

Common Gateway Interface - Wikipedia, the free encyclopedia

vs

FastCGI - Wikipedia, the free encyclopedia

So any bash CGI scripts - or any bash scripts called by any CGI process - are vulnerable.

And SSH accounts are vulnerable if you allow the remote user to set ANY environment variables, such as LC_* for localization.
    #4  
Old Unix and Linux 09-26-2014
cjcox cjcox is offline
Registered User
 
Join Date: May 2005
Last Activity: 27 June 2016, 2:12 PM EDT
Posts: 614
Thanks: 4
Thanked 109 Times in 106 Posts
You can apply the incomplete patches today and wait for the complete patch when available.

If that's not doable, make sure you use something other than bash (e.g. ksh, dash, ash, etc) for the shell on anything exposed or indirectly exposed. The flaw is huge and very exploitable from a remote host especially for web based stuff. And there are very popular *panels* (hint) that have such exposures.

For all of you that think all scripts should be written in unportable bash... maybe that wasn't the greatest strategy eh?? Bourne shell for the win!
Sponsored Links
    #5  
Old Unix and Linux 09-26-2014
Cochise Cochise is offline
Registered User
 
Join Date: Sep 2014
Last Activity: 19 February 2015, 12:23 PM EST
Posts: 27
Thanks: 8
Thanked 1 Time in 1 Post
Quote:
Originally Posted by vbe View Post
Not Bourne shell, in Bourne Again... bash
Sorry, I'm not familiar with bourne or bash, I'm a Korny :-)
Sponsored Links
    #6  
Old Unix and Linux 09-26-2014
gull04 gull04 is offline Forum Advisor  
Registered User
 
Join Date: Dec 2004
Last Activity: 27 April 2017, 6:00 AM EDT
Location: Isle-of-Skye
Posts: 703
Thanks: 17
Thanked 127 Times in 113 Posts
Hi Guys,

Just an update here, I've been running around like an idiot for the past two and a bit days - having loads of attempts on web servers in particular. But have even had specific attacks on our firwall and other outward facing kit.

There have been attempts on our switches and routers, this is the most disaterous bug I can remember other than the version of Solaris 10 with "terry" the developers back door in the final release.

I have logs full of stuff like below - I've changed some of the stuff but you'll get the idea.


Code:
XXX.XXX.93.149 - - [25/Sep/2014:05:08:03 +0100] "GET /w00tw00t.at.blackhats.aaaaaa.aaaa-sec:) HTTP/1.1" 404 319 "-" "ZmEu"
XXX.XXX.93.149 - - [25/Sep/2014:05:08:03 +0100] "GET /something_here/scripts/setup.php HTTP/1.1" 404 306 "-" "ZmEu"
XXX.XX.69.74 - - [25/Sep/2014:18:53:51 +0100] "GET / HTTP/1.1" 200 2455 "() { :; }; /bin/ping -c 1 XXX.XXX.0.69" "() { :; }; /bin/ping -c 1 XXX.XXX.0.69"

Regards

Dave
The Following 2 Users Say Thank You to gull04 For This Useful Post:
Aia (10-02-2014), vbe (09-26-2014)
Sponsored Links
Closed

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Bourne shell & Korn shell bobby1015 Shell Programming and Scripting 6 11-03-2011 12:31 PM
How to activate Korn Shell functionnalities in Bourne Shell madmat Shell Programming and Scripting 3 03-31-2010 08:41 AM
I need to understand the differences between the bash shell and the Bourne shell awk_sed_hello Shell Programming and Scripting 7 11-05-2009 04:40 AM
C shell & Bourne Shell jsm66 Shell Programming and Scripting 3 02-12-2007 02:19 AM
bourne shell or korn shell? XZOR UNIX for Dummies Questions & Answers 2 10-06-2006 02:34 AM



All times are GMT -4. The time now is 05:32 AM.