Jump to content
House Price Crash Forum

Archived

This topic is now archived and is closed to further replies.

interestrateripoff

'shellshock': Bash Bug 'bigger Than Heartbleed' Could Undermine Security Of Millions Of Websites

Recommended Posts

http://www.independent.co.uk/life-style/gadgets-and-tech/shell-shock-bash-bug-bigger-than-heartbleed-could--undermine-security-of-millions-of-websites-9754720.html

A security flaw discovered in one of the most fundamental interfaces powering the internet has been described by researchers as ‘bigger than Heartbleed', the computer bug that affected nearly every computer user earlier in the year.

The 'Bash' bug, known as 'Shellshock', is located in the command-line shell used in many Linux and Unix operating systems, leaving websites and devices power by these operating systems open to attack.

Like Heartbleed, Shellshock is a pervasive flaw that security researchers say will take years to fix properly. The responsibility to do so however rests with webmasters and systems administrators – rather than average users.

However, unlike Heartbleed, Shellshock will not require users to rush from site to site changing their passwords but it does give hackers another method of attack that they could potentially use to take over computers or mobile devices.

If Heartbleed's effect on users was akin to unlocking everyone's front door simultaneously, sending people scrambling back home to turn the key (ie change their passwords) then Shellshock is like giving thieves a new type of crowbar to break in to houses with - they're just as likely to use older methods, but it's still a blow for general security.

I think we'd better shut down the internet....

Share this post


Link to post
Share on other sites

Serious sh*t if this article is correct

http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html

Potentially 25 years worth of vulnerabilities available for attack and has ramifications way beyond just web servers

It looks a lot, lot easier to exploit than Heartbleed and even an idiot programmer like myself could probably knock up some malware to run through the vulnerabilty once found.

Share this post


Link to post
Share on other sites

Typical FUD, this bug is very hard to exploit in practice and doesn't provide privilege escalation, so the reporting is totally out of proportion compared to the actual risk.

Also bash is most certainly not the "most fundamental interfaces powering the internet", it's the standard shell in many (but not all) Linux distros, but not an "interface powering the internet".

Typical reporting by scribblers who don't have a clue what they are writing about (and that goes for many scribblers on IT news web sites too).

Share this post


Link to post
Share on other sites

I know this probably sounds silly (and I admit I know ****er all about IT and programming), but does anyone "in the know", have any ideas whether these recent massive security vulnerabilities are:

1) totally innocent/accidental oversights at conception or deliberate vulnerabilities

2) linked in any way to the Snowden revelations (either directly or otherwise) ?

I know it is conspiri-nut territory.. but it seems an obvious question to ask. I assume the answer to 1) is innocent/accidental since Linux is largely developed by enthusiasts..

Share this post


Link to post
Share on other sites

I know this probably sounds silly (and I admit I know ****er all about IT and programming), but does anyone "in the know", have any ideas whether these recent massive security vulnerabilities are:

1) totally innocent/accidental oversights at conception or deliberate vulnerabilities

2) linked in any way to the Snowden revelations (either directly or otherwise) ?

I know it is conspiri-nut territory.. but it seems an obvious question to ask. I assume the answer to 1) is innocent/accidental since Linux is largely developed by enthusiasts..

It's present in Unix as well as Linux.

Some info from El Reg.

On a cheerier note for me:

Ubuntu and other Debian-derived systems that use Dash exclusively are not at risk Dash isn't vulnerable, but busted versions of Bash may well be present on the systems anyway.

Apple fanboiz may be delighted to know it affects OS X Macs too.

Share this post


Link to post
Share on other sites

Typical FUD, this bug is very hard to exploit in practice and doesn't provide privilege escalation, so the reporting is totally out of proportion compared to the actual risk.

Also bash is most certainly not the "most fundamental interfaces powering the internet", it's the standard shell in many (but not all) Linux distros, but not an "interface powering the internet".

Typical reporting by scribblers who don't have a clue what they are writing about (and that goes for many scribblers on IT news web sites too).

It rather depends on the quality of the attacker and the default permissions they get when accessing the shell.

The vulnerabilty looks like a basic code injection fault such as expolited by SQL Slammer. What made the latter so dangerous was that some poorly configured of SQl Server 2000 systems allowed users to run stuff in the Windows command shell with local or even domain level admin privileges. This weakness may or may not be hugely dangerous but the attack area looks to be large and I am pretty sure that there are nasty people out there exploiting it as I type. As far as I can see you would not need high level privileges to orchestrate Denial of Service type attacks using this weakness. It certainly has the potential to be a major pain in the **** to people working in IT. Anyway shall see in due course whether it is a big deal or not

Share this post


Link to post
Share on other sites

It rather depends on the quality of the attacker and the default permissions they get when accessing the shell.

The vulnerabilty looks like a basic code injection fault such as expolited by SQL Slammer. What made the latter so dangerous was that some poorly configured of SQl Server 2000 systems allowed users to run stuff in the Windows command shell with local or even domain level admin privileges. This weakness may or may not be hugely dangerous but the attack area looks to be large and I am pretty sure that there are nasty people out there exploiting it as I type. As far as I can see you would not need high level privileges to orchestrate Denial of Service type attacks using this weakness. It certainly has the potential to be a major pain in the **** to people working in IT. Anyway shall see in due course whether it is a big deal or not

The slammer worm happened because it allowed "sysadmins" :wacko: to install SQL server with a blank SA password, and default "mixed mode " authentfication! Microsoft fixed this (bless em!) .

Share this post


Link to post
Share on other sites

OMG! A security problem that doesn't involve windoze.

Been that way for a while now I think. Everyone used to say Apple was great because you never needed security updates.. I believe OSX has more than windows now.

Share this post


Link to post
Share on other sites

OMG! A security problem that doesn't involve windoze.

Probably because patching Windows 7 takes about 3 days...

Share this post


Link to post
Share on other sites

The slammer worm happened because it allowed "sysadmins" :wacko: to install SQL server with a blank SA password, and default "mixed mode " authentfication! Microsoft fixed this (bless em!) .

Oh yes. The problem was that the 'sa' sysadmin ran with the same Windows authority as the underlying SQL Server account which was often local admin or even higher. Sadly the fix came rather too late for too many people.

Share this post


Link to post
Share on other sites

It's present in Unix as well as Linux.

Much less likely to be exploitable. I don't think any Unix uses bash as a /bin/sh emulator, so the vast corpus of cross-platform #!/bin/sh scripts won't be affected on them. Not sure where MacOS stands there.

Windows with any shell emulator (e.g. cygwin) would also be vulnerable. But (like Unix) it's much less likely to have bash at the heart of anything, or likely to be casually invoked.

As for all the crap about webservers ... a webserver (or mailserver, etc) is NOT vulnerable just because it's running on Linux. It becomes potentially vulnerable only if it runs subprocesses in a shell with un-sanitised environment variables. For example, a #!bin/sh CGI script (unusual), SSI #exec, or any CGI, PHP, or other script running a system() call without either Perl-style untainting or the protection of a WAF.

That's still a lot of servers potentially exposed. However, provided the sysop has adequately followed 20-year-old[1] principles of basic Good Practice, the potential damage is very limited, and should be nil on most servers.

[1] In principle quite a lot older, but its formulation for the Web only goes back about 20 years.

Share this post


Link to post
Share on other sites

Much less likely to be exploitable. I don't think any Unix uses bash as a /bin/sh emulator, so the vast corpus of cross-platform #!/bin/sh scripts won't be affected on them. Not sure where MacOS stands there.

Windows with any shell emulator (e.g. cygwin) would also be vulnerable. But (like Unix) it's much less likely to have bash at the heart of anything, or likely to be casually invoked.

As for all the crap about webservers ... a webserver (or mailserver, etc) is NOT vulnerable just because it's running on Linux. It becomes potentially vulnerable only if it runs subprocesses in a shell with un-sanitised environment variables. For example, a #!bin/sh CGI script (unusual), SSI #exec, or any CGI, PHP, or other script running a system() call without either Perl-style untainting or the protection of a WAF.

That's still a lot of servers potentially exposed. However, provided the sysop has adequately followed 20-year-old[1] principles of basic Good Practice, the potential damage is very limited, and should be nil on most servers.

[1] In principle quite a lot older, but its formulation for the Web only goes back about 20 years.

Lost you on the first line there. On my Linux installation (and on many others, I suspect), sh is simply a symbolic link to bash. Which would surely mean that the vast corpus of cross-platform #!/bin/sh scripts would be affected on them.

Share this post


Link to post
Share on other sites

I've got a video of me lifting some pretty heavy weights in the gym with, not quite perfect form, whilst declaring that America's special forces would get totally pwned by the SAS, if they ever hypothetically had a battle, ready and waiting to be uploaded to Youtube for just this eventuality.

I actually originally made it to protect against a Skynet scenario but just say and I'II hit the button.

Share this post


Link to post
Share on other sites

According to this article from Krebs initial monitoring of the vulnerability on Honeypot servers have shown early attackers using it to try to set up botnets for use in Denial of Service attacks etc

http://krebsonsecurity.com/2014/09/shellshock-bug-spells-trouble-for-web-security/

So not the end of the world at the moment but the potential to be a pain in the **** for security admins as I mentioned yesterday.

As to be expected multiple security patches are being pushed out by the various Linux distros at the moment.

Share this post


Link to post
Share on other sites

The vulnerabilty looks like a basic code injection fault such as expolited by SQL Slammer. What made the latter so dangerous was that some poorly configured of SQl Server 2000 systems allowed users to run stuff in the Windows command shell with local or even domain level admin privileges. This weakness may or may not be hugely dangerous but the attack area looks to be large

No it isn't, only servers that make use of cgi scripts written in shell (or invoking the shell) could be exploited, which these days is very rare. Very few web sites use shell scripts as cgis on their servers, in fact cgis are quite uncommon these days, server side scripting is mostly php or other specialised languages.

This has been blown out of all proportion by the ignorant media (as I said most IT media scribblers are ignorant too otherwise they would be working in IT rather than writing about it), the real risk is very limited.

Share this post


Link to post
Share on other sites

No it isn't, only servers that make use of cgi scripts written in shell (or invoking the shell) could be exploited, which these days is very rare. Very few web sites use shell scripts as cgis on their servers, in fact cgis are quite uncommon these days, server side scripting is mostly php or other specialised languages.

This has been blown out of all proportion by the ignorant media (as I said most IT media scribblers are ignorant too otherwise they would be working in IT rather than writing about it), the real risk is very limited.

My understanding is that the BASH shell is invoked in system calls by way more things than just CGI web servers but I am sure you will tell me different. Anyyway as I said before time will tell how serious is the flaw.

Share this post


Link to post
Share on other sites

My understanding is that the BASH shell is invoked in system calls by way more things than just CGI web servers but I am sure you will tell me different.

The default shell (which can be the bash shell and on many Linux distros is indeed the bash shell) is invoked by system calls by some applications, but since this has always been considered a security risk and therefore bad practice this normally does not happen with internet facing applications (unless it's some custom app written by someone with no knowledge of security best practices), just with apps that run locally.

Also the attacker needs to find a way to pass an environment variable to the application invoking the shell and, apart from cgi calls on web servers, this is normally not possible remotely.

Share this post


Link to post
Share on other sites

The default shell (which can be the bash shell and on many Linux distros is indeed the bash shell) is invoked by system calls by some applications, but since this has always been considered a security risk and therefore bad practice this normally does not happen with internet facing applications (unless it's some custom app written by someone with no knowledge of security best practices), just with apps that run locally.

Also the attacker needs to find a way to pass an environment variable to the application invoking the shell and, apart from cgi calls on web servers, this is normally not possible remotely.

The problem is that not all attacks on systems are remote and conducted over the internet or via web servers are they ?

IT Security teams spend as much time worrying about what staff inside a corporate network are upto as what mischief complete strangers might cause.

Red Hat have listed some of the areas that are at risk

https://access.redhat.com/articles/1200223

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

  • The Prime Minister stated that there were three Brexit options available to the UK:   203 members have voted

    1. 1. Which of the Prime Minister's options would you choose?


      • Leave with the negotiated deal
      • Remain
      • Leave with no deal

    Please sign in or register to vote in this poll. View topic


×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.