Shell shocked Attacks

If you thought Heartbleed was bad prepare yourself for Shellshock.

Like Heartbleed, Shellshock’s technical complexity (when compared to other types of system vulnerabilities) makes explaining what the vulnerability is, how it works, and the potential damage very challenging.

This vulnerability has alot to do with bash commands, code injections and environmental-variable definitions but that’s enough tech talk and I will try to explain exactly what Shellshock is.

Simply put Shellshock is a vulnerability in Bash which is system software used by millions upon millions of computers that opens up the possibility that an attacker could execute arbitrary commands on any machines.

Bash has been around since the late 1980s and is the default shell for OS X, Linux and some versions of Unix. Out of the box Windows computers and servers do not run Bash, but versions of Bash are often installed on Windows afterward.

50% of web servers run Apache, which means they may have some version of Bash on them.
Bash is not the command line itself but it is the most common interpreter. One of the core functions of Bash is that it easily allows users to define functions as a way to pass text onto other systems and processes.

The problem is that there is a major vulnerability that occurs when specific characters are included as part of a variable definition.

If the characters “{ :;};” are included as the function definition, any arbitrary code that is inserted AFTER that definition is processed. This isn’t supposed to happen and it the heart of the problem here,

In other words, if I am able to define what looks like a normal function with those special characters and then I tack on a few shell commands at the end of that definition, Bash will wind up executing those commands.

This is what is known as code injection and it’s a common type of attack.

The problem is then made worse because countless utilities, particularly have access to Bash and use it in the background.

This means a vulnerable server does not need to have a user specifically type the injected code into the command line. Someone can craft a script that will use the Bash command line to be able to execute code.

Where Shellshock becomes really bad is if it’s turned into a worm. A worm is a self-replicating attack where the malicious program creates code that launches itself on other targets which then launch themselves on other targets and so on.

This is why system administrators around the world have been working their tails off to patch their systems as quickly as possible.

Are Regular Computers at Risk?

If you run Windows and have never installed Git or Cygwin or other programs, you are probably safe — but you still want to stay abreast of any security updates.

Linux users can check with their distro for updates to patch Bash.

As for OS X, if you’re familiar with the command line and compiling your own shell, you can update to a safe version, but that is not recommended unless you really know what you are doing and are comfortable with the potential ramifications of an upgrade gone wrong.

The best bet is to wait for Apple to issue an update.

As of today no one has come up with a way to execute code on individual machines (not servers), but the nature of these discovered vulnerabilities means that it could become a worm targeting, most likely in this case Mac systems.

The larger issue here are the countless systems that will probably never get upgraded.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.