Thursday, September 25, 2014
GNU bash bug in Mac OS X and Linux could be 'bigger than Heartbleed'
The bash bug, as implied by its name, is a vulnerability that allows unscrupulous users to take control of Bourne Again Shell (bash), the software used to control the Unix command prompt on some Unix-like systems. This means that systems running Mac OS X and Linux are all potentially susceptible.
Current bash versions use an environment
variable named by the function name, and a function definition
starting with “() {” in the variable value to propagate function
definitions through the environment. The vulnerability occurs because
bash does not stop after processing the function definition; it
continues to parse and execute shell commands following the function
definition.
Dubbed "Shell Shock", the bug was found by the 38 year-old Frenchman on
the morning of September 12. It was disclosed this week so it could be
patched. It was a bug that lurked in software found on hundreds of millions of
devices for 21 years, leaving them vulnerable to hackers, who may have
known of its existence.Commenting on the flaw, Professor Alan Woodward from the University of Surrey said, "What many do not realise is that over 50 percent of active web sites run on a web server called Apache which runs on Unix, and hence is potentially vulnerable.
A test on Mac OS X 10.9.4 ("Mavericks") by Ars showed that it also has a vulnerable version of Bash. Apple has not yet patched Bash, though it just issued an update to "command line tools."
"Analysing the malware sample in a sandbox, we saw that the malware has conducted a massive scan on the United States Department of Defence Internet Protocol address range on port 23 TCP or Telnet for brute force attack purposes,"
___________________________
99% BAD HARDWARE WEEK: Who would believe this ?
But even with all the current patches applied, you can still do this: Cookie: () { echo "Hello world"; } ...and witness a callable function dubbed
HTTP_COOKIE()
materialize in the context of subshells spawned by Apache; of course, the name will be always prefixed with HTTP_*
, so it's unlikely to clash with anything or be called by incident - but intuitively, it's a pretty scary outcome.
In the same vein, doing this will also have an unexpected result: