Internet Braces for Crazy Shellshock Worm
Source: Wired
A nasty bug in many of the worlds Linux and Unix operating systems could allow malicious hackers to create a computer worm that wreaks havoc on machines across the globe, security experts say.
The flaw, called Shellshock, is being compared to last springs Heartbleed bug because it lets attackers do some nasty stuffin this case, run unauthorized codeon a large number of Linux computer servers. The flaw lies in Bash, a standard Unix program thats used to connect with the computers operating system.
The good news is that it doesnt take long to patch the bug. At internet infrastructure provider CloudFlare, admins scrambled for about an hour this morning to fix the flaw, which was disclosed late on Tuesday. We got 95 percent of it done within 10 minutes, says Ryan Lackey a security engineer at the company.
Because Shellshock is easy to exploitit only takes about three lines of code to attack a vulnerable serverLackey and other security experts think theres a pretty good chance that someone will write a worm code that will jump from vulnerable system to vulnerable system, creating hassles for the worlds system administrators. People are already exploiting it in the wild manually, so a worm is a natural outgrowth of that, Lackey says.
Read more: http://www.wired.com/2014/09/internet-braces-crazy-shellshock-worm/
A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems and, thanks to their ubiquity, the internet at large.
It lands countless websites, servers, PCs, OS X Macs, various home routers, and more, in danger of hijacking by hackers.
The vulnerability is present in Bash up to and including version 4.3, and was discovered by Stephane Chazelas. It puts Apache web servers, in particular, at risk of compromise: CGI scripts that use or invoke Bash in any way including any child processes spawned by the scripts are vulnerable to remote-code injection. OpenSSH and some DHCP clients are also affected on machines that use Bash.
Ubuntu and other Debian-derived systems that use Dash exclusively are not at risk Dash isn't vulnerable, but busted versions of Bash may well be present on the systems anyway. It's essential you check the shell interpreters you're using, and any Bash packages you have installed, and patch if necessary.
"Holy cow. There are a lot of .mil and .gov sites that are going to get owned," security expert Kenn White said on Wednesday in reaction to the disclosed flaw.
The 22-year-old bug, dating back to version 1.13, lies in Bash's handling of environment variables: when assigning a function to a variable, trailing code in the function definition will be executed, leaving the door wide open for code-injection attacks. The vulnerability is exploitable remotely if code can be smuggled into environment variables sent over the network and it's surprisingly easy to do so.
http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
If the system is vulnerable, the output will be:
vulnerable
this is a test
An unaffected (or patched) system will output:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
RKP5637
(67,112 posts)BootinUp
(47,197 posts)My new endian firewall router tests positive for the bug.
Response to Bosonic (Original post)
Threedifferentones This message was self-deleted by its author.
Bosonic
(3,746 posts)Security experts are warning that a serious flaw named Shellshock could be about to affect many of the worlds web users.
Some analysts warn it could be worse than Heartbleed, a vulnerability within web encryption library OpenSSL which caused a stir this year as it theoretically allowed attackers to take over websites.
The US government-backed National Vulnerability Database rated Shellshock 10/10 for severity. Heres a simple guide to what the Bash bug is, why it matters and what people can do to help prevent future attacks.
What is Bash?
Bash, an acronym for Bourne Again Shell, is a command-line shell. This lets users issue commands to launch programs and features within software by typing in text. Its typically used by programmers and shouldnt be open to the wider world, though Shellshock changes that.
More: http://www.theguardian.com/technology/2014/sep/25/shellshock-bug-heartbleed
apnu
(8,759 posts)I took care of my company's servers in less than 5 minutes.
Yes the flaw is bad, but there's patches and they're pretty small. Didn't bug my production environment at all.
defacto7
(13,485 posts)Yesterday's patches were incomplete.
apnu
(8,759 posts)sir pball
(4,761 posts)On the bright side, I haven't heard anything about privilege escalation. Yet.