Stories
Slash Boxes
Comments

SoylentNews is people

Shellshock Detection, Prevention, Timeline, and Lessons Learned

posted by martyb on Saturday October 11 2014, @01:15PM   Printer-friendly
from the he-who-does-not-learn-from-history dept.

First-time submitter barnsbarns writes:

David Wheeler has a nice write-up of the many aspects of the shellshock vulnerability in Bash, including a timeline of events and commentary on how to prevent vulnerabilities like shellshock in the future.

He even provides a quick test to see if your shell is still susceptible to shellshock:

To determine if a system is vulnerable to shellshock, run the following refined test on a Unix-like system command line (this should work on any Bourne or C shell):

env foo='() { echo not patched; }' bash -c foo

This will reply “bash: foo: command not found” on a repaired system, while a vulnerable system will typically reply “not patched” instead. The initial “env” can be omitted when typing the command into a POSIX/Bourne shell (including bash, dash, and ash).

The write-up shows that several mis-identifications of the problem were communicated, as well as how multiple solutions were constructed—thanks to the code being open-source.

He also presents a similar type of defect under Microsoft Windows where, in a CMD.EXE window, issuing these commands:

  set foo=bar^&ping -n 1 localhost
  echo %foo%

will not only display the value of the "foo" environment variable, it will also cause a ping command to be executed.

[Update: fixed formatting of code sample.]

 
This discussion has been archived. No new comments can be posted.
Shellshock Detection, Prevention, Timeline, and Lessons Learned | Log In/Create an Account | Top | 30 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Saturday October 11 2014, @03:01PM

    by Anonymous Coward on Saturday October 11 2014, @03:01PM (#104781)

    is this the "Bunch of tough guys that post as A.C" thread? Finally a place i can sound cool. Fuck systemd and beta.

  • (Score: 1, Insightful) by Anonymous Coward on Saturday October 11 2014, @03:07PM

    by Anonymous Coward on Saturday October 11 2014, @03:07PM (#104784)

    Silly boy, this isn't about being tough. This is about saving one of the greatest open source projects to have ever existed: Debian. We were quiet when these kind of people killed Firefox. We were quiet when they killed GNOME. But we damn well won't sit here quietly while they try to kill Debian! If our voices aren't heard, then we will move to FreeBSD.

    • (Score: 2) by kaszz on Saturday October 11 2014, @03:45PM

      by kaszz (4211) on Saturday October 11 2014, @03:45PM (#104795) Journal

      Don't worry. They will infest FreeBSD too within time.. And make compatibility with software designed for a systemd environment a pain.