Worse Than Heartbleed?

Meet ShellShock: A
New Security Threat For OS X and Linux
By Matthew Hughes
A serious security issue with the Bash shell a major component of both most UNIX-like operating
systems has been discovered, with significant implications for computer security worldwide.
The issue is present in all versions of the Bash scripting language up to version 4.3, which effects
a majority of Linux machines, and the entirety of computers running OS X. and can see an attacker
exploiting this issue to launch their own code.
Curious about how it works and how to protect yourself? Read on for more information.
What Is Bash?
Bash (standing for Bourne Again Shell) is the default command line interpreter used on most Linux
and BSD distributions, in addition to OS X. It is used as a method of launching programs, using
system utilities and interacting with the underlying operating system by launching commands.
In addition, Bash (and most Unix shells) allow the scripting of UNIX functions in small scripts.
Similarly to most programming languages such as Python, JavaScript and CoffeeScript Bash
supports features common with most programming languages, such as functions, variables and
scope.
Bash is near ubiquitous, with many people using the term Bash to refer to all command line
interfaces, regardless of whether theyre actually using the Bash shell. And if youve ever installed
WordPress or Ghost through the command line, or tunneled your web traffic through SSH, youve
quite possibly used Bash.
Its everywhere. Which makes this vulnerability all the more worrying.
Dissecting The Attack
The vulnerability discovered by French security researcher Stphane Chazleas has caused a
great deal of panic in Linux and Mac users worldwide, as well as attracted attention in the
technology press. And for good reason too, as Shellshock could potentially see attackers gaining
access to privileged systems and executing their own malicious code. Its nasty.
But how does it work? At the lowest possible level, it exploits how environment variables work.
These are used both by UNIX-like systems and Windows to store values that are required for the
computer to function properly. These are available globally available across the system and can
either store a single value such as the location of a folder or a number or a function.
Functions are a concept that is found in software development. But what do they do? Simply put,
they bundle a set of instructions (represented by lines of code), which can later be executed by
either another program or a user.
The issue with the Bash interpreter lies in how it handles storing functions as environment
variables. In Bash, the code found in functions is stored between a pair of curly braces. However, if
an attacker leaves some Bash code outside of the curly brace, it will then be executed by the
system. This leaves the system wide-open for a family of attacks known as code-injection attacks.
Researchers have already found potential attack vectors by exploiting how software such as the
Apache web server, and common UNIX utilities such as WGET interact with the shell and use
environment variables.
How Do You Test For It?
Curious to see if your system is vulnerable? Finding out is easy. Just open up a terminal, and type:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test
If your system is vulnerable, it will then output:
vulnerable
this is a test
Whilst an unaffected system will output:
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test
How Do You Fix It?
By the time of publication, the bug which was discovered on the 24th of September, 2014
should have been fixed and patched. You simply need to update your system. Whilst Ubuntu and
Ubuntu variants use Dash as their main shell, Bash is still used for some system functionality. As a
result, youd be well advised to update it. To do that, type:
sudo apt-get update
sudo apt-get upgrade
On Fedora and other Red Hat variants, type:
sudo yum update
Apple is yet to release a security fix for this, although if they do, they will release it through the app
store. Ensure you are regularly checking for security updates.
Chromebooks which use Linux as their foundation, and can run most distros without much fuss
use Bash for certain system functions and Dash as their main shell. Google should should update
in due season.
What To Do If Your Distro Hasnt Fixed Bash Yet
If your distro is yet to release a fix for Bash, you might want to either consider changing
distributions, or installing a different shell.
Id recommend beginners check out Fish Shell. This comes with a number of features that arent
currently available in Bash and make it even more pleasant to work with Linux. These include
autosuggestions, vibrant VGA colors and the ability to configure it from a web interface.
Fellow MakeUseOf author Andrew Bolster also recommends you check out zSH, which comes
with tight integration with the Git version control system, as well as autocomplete.
The Scariest Linux Vulnerability Yet?
Shellshock has already been weaponized. Within one day of the vulnerability being disclosed to
the world, it had already been used in the wild to compromise systems. More troublingly, its not
just home users and businesses that are vulnerable. Security experts are predicting that the bug
will also leave military and government systems at risk. Its almost as nightmarish as Heartbleed
was.
So, please. Update your systems, okay? Let me know how you get on, and your thoughts about
this piece. Comments box is below.
Photo Credit: zanaca (IMG_3772.JPG)
Copyright 2014, MakeUseOf. All Rights Reserved .