Shellshock Bug Affecting Mac And Linux Users

If you have a Mac or linux computer make sure you have applied the latest updates / patches.

This bug allows a remote hacker to gain complete control over your system.

Most major distributions have released patches to fix the vulnerability in the bash shell.

http://www.theregister.co.uk/2014/09/24/bash_shell_vuln/

The article explains how you can check if your system is currently unsecured against this attack:

Code:

env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"

 

i heard about this a few weeks ago, i think it's only exploitable if you're running a server or remote shell accounts tho (could be wrong). this actually isn't specific to MacOSX, or any particular OS, it's the [bash] shell itself which is used ... almost everywhere :yikes:

anyways .. this is the output i got which means it's okay

Code:

slacker@cup-cake:/var/log$ env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
completed
slacker@cup-cake:/var/log$ env X="() { :;} ; echo busted" `which bash` -c "echo completed"
/bin/bash: warning: X: ignoring function definition attempt
/bin/bash: error importing function definition for `X'
completed

this is a good example of why a system should be updated often

 

Its not like you'd be able to run the sudo command from fluff at the end of function in an env variable though

 

yeah, that's why the "principal of least privilage" should be used in all cases. in any case, it's dangerous because hackers will spend a lot of time trying to exploit it and fail 10,000 times and keep trying.

 

This "bug" has been in the bash shell for a while. Not really even a bug though is it, not like it really knows when to stop reading a env variable. Interesting to see what the patch is, stop readin an env variable at what character?

 

i'm thinking at ";" .. idk .. the fact that it's in quotes is supposed to make it read the whole thing in as a string

 

so, have any systems actually been compromised by this "in the wild"?

edit: nevermind, i just found the answer to this .. yes it's been used.

 

Yes I should have added that obviously UNIX systems are potentially vulnerable, also some wireless routers run Bash. Might be worth checking with your manufacturer for a firmware update.

 

Among some of the worst programming that I've seen, involved a web application running as root with a php script that directly invoked bash.

And all just to get the PID of a program.

Essentially anyone who could submit arbitrary data to the web application could have easily taken the the entire server.

 

that's probably the worst thing to worry about is systems (or devices, like network equipment) that can't be easily patched.

facepalm * 1000 ... no, times infinity (root .. for real?)

Code:

while (1) {
   facepalm();   
}