REAL WORLD EVENT DISCUSSIONS

Shellshock: Worse than Heartbleed

POSTED BY: SIGNYM
UPDATED: Sunday, September 28, 2014 16:00
SHORT URL:
VIEWED: 1392
PAGE 1 of 1

Saturday, September 27, 2014 11:34 AM

SIGNYM

I believe in solving problems, not sharing them.


Yet another fundamental flaw in the underlying security of the internet!

The flaw resides in BASH (a shell-scripting program that allows users to delete files, reformat disks, directly read disks or other media, change file ownership and permissions etc).

From Mashable

Quote:

Bash has been around since the late 1980s and is the default shell for OS X, Linux and some versions of Unix. By default, Windows machines and Windows servers don't run Bash, but versions of Bash are often installed on Windows. (This will be important later.)

Bash isn't just a command interpreter — it can also be used as a parser for CGI scripts — the way many websites display dynamic content. This is important because CGI scripts are often executed on Apache, the most common kind of web server in the world.

As you may remember from Heartbleed, about 50% of web servers run Apache, which means they may have some version of Bash on them, which means they may have some version of Bash on them. And that's without even taking into account any other web servers that might also have Bash installed as part of their setup.

Some users are getting confused in thinking Bash is the command line. It's not, but it is the most common command interpreter in the world and is installed on millions of systems.

One of the core functions of Bash is that it lets users define functions as a way to pass text onto other systems and processes. Usually, this is just fine — and hey, it's convenient, that's why it exists.
What's the problem?

The problem is that there is a major vulnerability that occurs when specific characters are included as part of a variable definition. If the characters "{ :;};" are included as the function definition, any arbitrary code that is inserted AFTER that definition is processed. This isn't supposed to happen.

In other words, if I'm able to define what looks like a normal function with those special characters and then I tack on a few shell commands at the end of that definition, Bash will wind up executing those commands.



So, basically, if you send a text into BASH from somewhere on the internet ... anywhere ... with the characters {:;} you can get the machine to do anything... erase itself, for example, or start attacking other machines, or record your keystrokes. If you have something hooked up to WIFI and your PC, you can infect your PC.

Welcome to the "internet of things"!


NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Saturday, September 27, 2014 1:52 PM

1KIKI

Goodbye, kind world (George Monbiot) - In common with all those generations which have contemplated catastrophe, we appear to be incapable of understanding what confronts us.


So it's a problem of the language? I expect those are functional characters elsewhere and can't be invalidated individually. Is it possible to write into BASH a small screening routine that parses for the troublesome sequence and faults out when it sees it?




SAGAN: We are releasing vast quantities of carbon dioxide, increasing the greenhouse effect. It may not take much to destabilize the Earth's climate, to convert this heaven, our only home in the cosmos, into a kind of hell.

NOTIFY: N   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Saturday, September 27, 2014 11:41 PM

SIGNYM

I believe in solving problems, not sharing them.


Apparently yes, it's a language problem. The particular sequence of characters, I gather, gives hackers the "keys to the kingdom".

But it also (according to what I've read) has to be combined with another form of vulnerbale software. In order to do REAL damage, you have to be logged in as "root", basically as the most super of super-users. The articles have been pretty cagey about exactly what the problem is... related to Apache, some say... and I'm not knowledgable enuf to figure out how that might work.

Anyway, apparently Debian and Red Hat - two distributions of Linux- have sent out BASH updates which prevent that code from working. Ubuntu and the other Linux distros probably have as well. Apple devices run on OSX, which is yet another 'nix form, and Windows had overlaid BASH-type software over their OS, so ... again, apparently... they suffer from the same flaw.

--------------
You can't build a nation with bombs. You can't create a society with guns.

NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Sunday, September 28, 2014 1:45 AM

1KIKI

Goodbye, kind world (George Monbiot) - In common with all those generations which have contemplated catastrophe, we appear to be incapable of understanding what confronts us.


Hhmm. Thanks for the reply.




SAGAN: We are releasing vast quantities of carbon dioxide, increasing the greenhouse effect. It may not take much to destabilize the Earth's climate, to convert this heaven, our only home in the cosmos, into a kind of hell.

NOTIFY: N   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Sunday, September 28, 2014 7:57 AM

JO753

rezident owtsidr


Thats it! Gotta fire up the old Amiga!

----------------------------
DUZ XaT SEM RiT TQ YQ? - Jubal Early

http://www.nooalf.com

NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Sunday, September 28, 2014 11:38 AM

SIGNYM

I believe in solving problems, not sharing them.


You have an Amiga?????

Holy bytes, Batman!

--------------
You can't build a nation with bombs. You can't create a society with guns.

NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Sunday, September 28, 2014 2:04 PM

FREMDFIRMA



Lmao, I actually have a VIC-20 over there in the closet somewhere with a VIC-1011 adaptor running IEEE-488 for attachment of scientific instruments.

-F

NOTIFY: N   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

Sunday, September 28, 2014 4:00 PM

JO753

rezident owtsidr


No, just a joke.

I had 2 with a bunch uv periferalz back in the mid 90z. They were my brotherz hand-me-downz, but I never used them. I sold them to a guy who uzed them to do animation.

----------------------------
DUZ XaT SEM RiT TQ YQ? - Jubal Early

http://www.nooalf.com

NOTIFY: Y   |  REPLY  |  REPLY WITH QUOTE  |  TOP  |  HOME  

YOUR OPTIONS

NEW POSTS TODAY

USERPOST DATE

OTHER TOPICS

DISCUSSIONS
Cry-Baby Trump
Sun, October 26, 2025 00:57 - 121 posts
Do you feel like the winds of change are blowing today too?
Sun, October 26, 2025 00:52 - 3713 posts
In the garden, and RAIN!!! (2)
Sat, October 25, 2025 23:19 - 6197 posts
Space, the final frontier
Sat, October 25, 2025 18:51 - 16 posts
The Group Responsible for All of Our Troubles
Sat, October 25, 2025 18:45 - 36 posts
Mexican Senate President: I Told Trump We'll Pay For A Wall On Mexico's 1830 Borders
Sat, October 25, 2025 17:51 - 6 posts
Alien Technology In Utah?
Sat, October 25, 2025 17:45 - 20 posts
United States 2028 Presidential Election
Sat, October 25, 2025 17:43 - 59 posts
ROBOTS DANCING: Funny, creepy, or both?
Sat, October 25, 2025 17:10 - 23 posts
Russia Invades Ukraine. Again
Sat, October 25, 2025 16:15 - 9158 posts
Ellen Page is a Dude Now
Sat, October 25, 2025 14:57 - 283 posts
Features Violent crime in Sweden is soaring. When will politicians act?
Sat, October 25, 2025 14:43 - 32 posts

FFF.NET SOCIAL