Stories
Slash Boxes
Comments

SoylentNews is people

Shellshock Detection, Prevention, Timeline, and Lessons Learned

posted by martyb on Saturday October 11 2014, @01:15PM   Printer-friendly
from the he-who-does-not-learn-from-history dept.

First-time submitter barnsbarns writes:

David Wheeler has a nice write-up of the many aspects of the shellshock vulnerability in Bash, including a timeline of events and commentary on how to prevent vulnerabilities like shellshock in the future.

He even provides a quick test to see if your shell is still susceptible to shellshock:

To determine if a system is vulnerable to shellshock, run the following refined test on a Unix-like system command line (this should work on any Bourne or C shell):

env foo='() { echo not patched; }' bash -c foo

This will reply “bash: foo: command not found” on a repaired system, while a vulnerable system will typically reply “not patched” instead. The initial “env” can be omitted when typing the command into a POSIX/Bourne shell (including bash, dash, and ash).

The write-up shows that several mis-identifications of the problem were communicated, as well as how multiple solutions were constructed—thanks to the code being open-source.

He also presents a similar type of defect under Microsoft Windows where, in a CMD.EXE window, issuing these commands:

  set foo=bar^&ping -n 1 localhost
  echo %foo%

will not only display the value of the "foo" environment variable, it will also cause a ping command to be executed.

[Update: fixed formatting of code sample.]

 
This discussion has been archived. No new comments can be posted.
Shellshock Detection, Prevention, Timeline, and Lessons Learned | Log In/Create an Account | Top | 30 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 1, Informative) by Anonymous Coward on Saturday October 11 2014, @01:54PM

    by Anonymous Coward on Saturday October 11 2014, @01:54PM (#104760)

    Did you try getting rid of the "amp;" part? That HTML entity crap probably should not be there!

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Total Score:   1  

  • (Score: 3, Informative) by maxwell demon on Saturday October 11 2014, @01:58PM

    by maxwell demon (1608) Subscriber Badge on Saturday October 11 2014, @01:58PM (#104763) Journal

    The comment processing already did it for him, so he probably just needs top copy/paste from his own comment ;-)

    --
    The Tao of math: The numbers you can count are not the real numbers.

    • (Score: 2) by tynin on Saturday October 11 2014, @02:11PM

      by tynin (2013) on Saturday October 11 2014, @02:11PM (#104766) Journal

      Thanks, getting closer :)

      C:\Users\tynin>set foo=google.com^&;ping -n 1 localhost echo %foo%
      Bad parameter echo.

      • (Score: 3, Informative) by tynin on Saturday October 11 2014, @02:20PM

        by tynin (2013) on Saturday October 11 2014, @02:20PM (#104770) Journal

        Ah, I see what it is doing now. foo contains everything needed with the ^ escaping the pipeline. Once it is set, then echoing the var will execute it. I need more coffee... :)

        C:\Users\tynin>set foo=bar^&ping -n 1 google.com

        C:\Users\tynin>echo %foo%
        bar

        Pinging google.com [74.125.229.168] with 32 bytes of data:
        Request timed out.

        Ping statistics for 74.125.229.168:
                Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),
        Ping statistics for ::1:
                Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
        Approximate round trip times in milli-seconds:
                Minimum = 0ms, Maximum = 0ms, Average = 0ms

        • (Score: 1) by martyb on Saturday October 11 2014, @03:30PM

          by martyb (76) on Saturday October 11 2014, @03:30PM (#104791) Journal

          Mea culpa. Please accept my apologies for the corrupted code sample. We have been dealing with some issues with how the site escapes various characters into character entities, and I used the wrong HTML elements to bracket the code sample. The story has been updated.

          You might be interested in this article: Command-injection vulnerability for COMMAND-Shell Scripts [thesecurityfactory.be]. I highly recommend reading the *entire* article. It provides samples of different ways to make the display or use of environment variables cause one or more commands to be executed.

          --
          Wit is intellect, dancing.

  • (Score: 2) by tynin on Saturday October 11 2014, @02:05PM

    by tynin (2013) on Saturday October 11 2014, @02:05PM (#104765) Journal

    Thanks for the amp reminder, I glossed over that. However nothing gets returned when I run them. I don't know how to do the bash equivalent of a echo $? to see the exit status. Individually I can ping any of them. Fetching wireshark now to see if these icmp echo requests are doing the needful and just not outputting to the terminal due to how this is constructed.

    C:\Users\tynin>set foo=bar;ping -n 1 localhost echo %foo%

    C:\Users\tynin>set foo=google.com;ping -n 1 localhost echo %foo%

    C:\Users\tynin>set foo=10.1.1.254;ping -n 1 localhost echo %foo%

    C:\Users\tynin>set foo=10.1.1.254;ping -n 1 127.0.0.1 echo %foo%

    • (Score: 1) by Coniptor on Saturday October 11 2014, @05:27PM

      by Coniptor (4580) on Saturday October 11 2014, @05:27PM (#104820)

      echo $? is how to echo/print the bash exit status.
      To get the cmd.exe/command.com output it would be echo %errorlevel%.

    • (Score: 0) by Anonymous Coward on Saturday October 11 2014, @08:44PM

      by Anonymous Coward on Saturday October 11 2014, @08:44PM (#104864)

      echo %foo%

      goes on its own line