The Bash Bug, In a Nut-Shellshock

As you probably know by now, a bug, named Shellshock or “The Bash Bug” has been discovered in a version of Bash, which is a command shell tool. The bug leaves millions of websites and computers open to attack. The bug can be executed in just a few lines of code and enables Hackers to use the command shell remotely to execute malicious injections without admin privileges into vulnerable sites, possibly bringing them down or worse.

The bug is documented as CVE-2014-6271 and CVE-2014-7169.

Some say the damage potential for this bug is so massive, it’s being compared to Heartbleed – and, it may even be more pervasive than Heartbleed. But, others say that its been around for a long time and the damage will be minimal. Security insiders are tweeting all sorts of sarcastic comments and jokes about the bug while some publications warn of gloom and doom. While the damage will remain to be seen, it’s fairly safe to say that this bug is keeping security professionals and developers busy.

Everyone's missing the CIA link here. BASH =. Bourne Again SHell, named after Jason Bourne of the Treadstone Project. It's a CIA backdoor.

Man, is it just me, or does the Internet feel like a monumental shit show lately? Ugh

Anyone heard any good puns with the word "bash" lately?

Technically, no one is safe from Shellshock, it exposes everyone from home users to global corporations. Both Rapid7 and NIST vulnerability database score this vuln a 10 out of 10 and unfortunately its pretty easy to execute. Experts are urging IT professionals to patch their version of Bash ASAP, but keep in mind that there isn’t one solution. IT security experts and developers will need to issue patches for their individual solutions (ex. Apple, RedHat, etc.). For example:

  • Linux vendor RedHat has issued ModSecuritiy rules that block the Bash bug, but warns that the patch is not complete.
  • Security researchers are worried about the bu’s potential impact on Apple Mac computers, which uses the Bash software which the bug exploits directly in the form of its command-line program Terminal. Fortunately, patches are available, but Apple users will need to get their hands dirty until a fix is issued.

Shellshock is a mistake in the code of Bash, which is typically installed on non-Windows operating systems such as Mac, Unix and Linux. The bug enables hackers to send commands to a computer remotely and without having admin privileges. The recent vulnerability was discovered by Akamai security researcher, Stephane Chazelas. This Akamai advisory also explains the problem and this OSS-Sec mailing list post has a good explanation as well..

IT security professionals can find code to exploit the Bash bug using CGI scripts to execute code with the same privileges as the web server. The bug can be triggered on a vulnerable system with a simple Wget fetch.

To check if you’re systems are vulnerable, execute the following lines of code in your default shell, which will often be Bash.

env X=”() { :;} ; echo busted” /bin/sh -c “echo completed”
env X=”() { :;} ; echo busted” `which bash` -c “echo completed”

You’ll know you are at risk if you see the word, “busted.” If you don’t see the word “busted,”  then your version of Bash is fixed or your shell is using a different  interpreter.

Users at home should avoid using credit cards or disclosing personal information on-line for the next few days. In addition, its a good idea to update anti-virus software and avoid sketchy websites.

In Jim Reavis’ Cloud Security Alliance blog post, he explains that many large programs on Linux and other UNIX systems use Bash to define environmental variables which are then used while executing other programs.

For more helpful information on the Shellshock bug, check out the following:

About Dan Kuykendall 173 Articles
Connect with Dan on Google+

Be the first to comment

Leave a Reply

Your email address will not be published.