Stories
Slash Boxes
Comments

SoylentNews is people

Shellshock Detection, Prevention, Timeline, and Lessons Learned

posted by martyb on Saturday October 11 2014, @01:15PM   Printer-friendly
from the he-who-does-not-learn-from-history dept.

First-time submitter barnsbarns writes:

David Wheeler has a nice write-up of the many aspects of the shellshock vulnerability in Bash, including a timeline of events and commentary on how to prevent vulnerabilities like shellshock in the future.

He even provides a quick test to see if your shell is still susceptible to shellshock:

To determine if a system is vulnerable to shellshock, run the following refined test on a Unix-like system command line (this should work on any Bourne or C shell):

env foo='() { echo not patched; }' bash -c foo

This will reply “bash: foo: command not found” on a repaired system, while a vulnerable system will typically reply “not patched” instead. The initial “env” can be omitted when typing the command into a POSIX/Bourne shell (including bash, dash, and ash).

The write-up shows that several mis-identifications of the problem were communicated, as well as how multiple solutions were constructed—thanks to the code being open-source.

He also presents a similar type of defect under Microsoft Windows where, in a CMD.EXE window, issuing these commands:

  set foo=bar^&ping -n 1 localhost
  echo %foo%

will not only display the value of the "foo" environment variable, it will also cause a ping command to be executed.

[Update: fixed formatting of code sample.]

 
This discussion has been archived. No new comments can be posted.
Shellshock Detection, Prevention, Timeline, and Lessons Learned | Log In/Create an Account | Top | 30 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: -1, Troll) by Anonymous Coward on Saturday October 11 2014, @03:01PM

    by Anonymous Coward on Saturday October 11 2014, @03:01PM (#104782)

    This kind of bug can't happen when using C or C++ or Java or C# or any real programming language.

    This kind of a bug only happens when using dynamic languages like bash, Ruby, Perl or JavaScript, where code in strings can be executed on the fly.

    Starting Score:    0  points
    Moderation   -1  
       Troll=1, Total=1
    Extra 'Troll' Modifier   0  
    Total Score:   -1  

  • (Score: 0) by Anonymous Coward on Saturday October 11 2014, @06:38PM

    by Anonymous Coward on Saturday October 11 2014, @06:38PM (#104837)

    So NO! to $anything because $anything can be used to murder innocents.

    Blaming tools for human error is counter productive at best.

  • (Score: 2, Informative) by Anonymous Coward on Saturday October 11 2014, @07:18PM

    by Anonymous Coward on Saturday October 11 2014, @07:18PM (#104843)

    if you were serious...type man 3 system. oooo "code in strings can be executed on the fly." that's this very bug, waiting for you to call it from stdlib.

    in other words, you have no idea what you're talking about.

    • (Score: -1, Troll) by Anonymous Coward on Saturday October 11 2014, @11:09PM

      by Anonymous Coward on Saturday October 11 2014, @11:09PM (#104893)

      Why the fuck is the parent's dumbass comment modded up? It's fucking idiotic.

      You have to go to great lengths to execute arbitrary C or C++ code using system(). Fuck, you have to even manually call system() in the first place, and modern compilers warn about its use.

      Fuck, all it took with bash was setting and using an environment variable's value! Only somebody as fucking retarded as the parent wouldn't see the difference here.

      Mod the parent down. It's full of shit, and it's dumb as rocks.