Stories
Slash Boxes
Comments

SoylentNews is people

Shellshock Detection, Prevention, Timeline, and Lessons Learned

posted by martyb on Saturday October 11 2014, @01:15PM   Printer-friendly
from the he-who-does-not-learn-from-history dept.

First-time submitter barnsbarns writes:

David Wheeler has a nice write-up of the many aspects of the shellshock vulnerability in Bash, including a timeline of events and commentary on how to prevent vulnerabilities like shellshock in the future.

He even provides a quick test to see if your shell is still susceptible to shellshock:

To determine if a system is vulnerable to shellshock, run the following refined test on a Unix-like system command line (this should work on any Bourne or C shell):

env foo='() { echo not patched; }' bash -c foo

This will reply “bash: foo: command not found” on a repaired system, while a vulnerable system will typically reply “not patched” instead. The initial “env” can be omitted when typing the command into a POSIX/Bourne shell (including bash, dash, and ash).

The write-up shows that several mis-identifications of the problem were communicated, as well as how multiple solutions were constructed—thanks to the code being open-source.

He also presents a similar type of defect under Microsoft Windows where, in a CMD.EXE window, issuing these commands:

  set foo=bar^&ping -n 1 localhost
  echo %foo%

will not only display the value of the "foo" environment variable, it will also cause a ping command to be executed.

[Update: fixed formatting of code sample.]

 
This discussion has been archived. No new comments can be posted.
Shellshock Detection, Prevention, Timeline, and Lessons Learned | Log In/Create an Account | Top | 30 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by tynin on Saturday October 11 2014, @02:05PM

    by tynin (2013) on Saturday October 11 2014, @02:05PM (#104765) Journal

    Thanks for the amp reminder, I glossed over that. However nothing gets returned when I run them. I don't know how to do the bash equivalent of a echo $? to see the exit status. Individually I can ping any of them. Fetching wireshark now to see if these icmp echo requests are doing the needful and just not outputting to the terminal due to how this is constructed.

    C:\Users\tynin>set foo=bar;ping -n 1 localhost echo %foo%

    C:\Users\tynin>set foo=google.com;ping -n 1 localhost echo %foo%

    C:\Users\tynin>set foo=10.1.1.254;ping -n 1 localhost echo %foo%

    C:\Users\tynin>set foo=10.1.1.254;ping -n 1 127.0.0.1 echo %foo%

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 1) by Coniptor on Saturday October 11 2014, @05:27PM

    by Coniptor (4580) on Saturday October 11 2014, @05:27PM (#104820)

    echo $? is how to echo/print the bash exit status.
    To get the cmd.exe/command.com output it would be echo %errorlevel%.

  • (Score: 0) by Anonymous Coward on Saturday October 11 2014, @08:44PM

    by Anonymous Coward on Saturday October 11 2014, @08:44PM (#104864)

    echo %foo%

    goes on its own line