BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Shellshock

Subject: [Discuss] Shellshock
From: tmetro+blu at gmail.com (Tom Metro)
Date: Tue, 30 Sep 2014 21:50:50 -0400

I assume most readers of this list are already well familiar with the
Bash bug known as "Shellshock" by now. The general tech press has raised
alarms about it, but they've generally done a rather poor job of
explaining the actual ways in which the bug could be exploited remotely.

Here are a few articles on the topic that do a better job:


http://paste.lisp.org/display/143864
  The problem we have is not a bash bug...

  I would argue that the bash security concern is not a bug.  It is
  clearly a feature.  Admittedly, a misguided and misimplemented
  feature, but still a feature. The problem is that it was designed 25
  years ago.  Apache didn't exist yet for five years!
  ...
  The problem is that 5 years later, new software was developed (apache,
  dhcp, etc), that uses bash in child processes, and which still uses
  environment variables to pass data.  Unfortunately, some of that data
  comes not from the trusted user of the local system, but comes from
  random users and program on the other side of the internet and of the
  planet.  And in the meantime, the undocumented (and under-published)
  feature of bash is forgotten.


http://perltricks.com/article/115/2014/9/26/Shellshock-and-Perl

  ...a successful Shellshock attack would need to pass an environment
  variable containing malicious code to a CGI script on a web server
  (like Apache), hosted on a vulnerable system, and the CGI script would
  have to invoke the Shell. For Perl CGI scripts, the system invocation
  would need to include metacharacters. This seems like a tall order,
  not yet understood by everyone

Worth reading for a better understanding of the issue even if you don't
deal with Perl. The information is largely applicable to other
high-level languages, like PHP, Python, Ruby, etc.


And a reminder that you need to look beyond just web servers:

http://threatpost.com/openvpn-vulnerable-to-shellshock-bash-vulnerability/108616

  ...a Swedish VPN company, reported that OpenVPN servers are vulnerable
  to Shellshock... Stromberg said the attack vector in OpenVPN is
  particularly dangerous because it's pre-authentication, putting all
  communication through a supposedly secure tunnel at risk.

  "OpenVPN has a number of configuration options that can call custom
  commands during different stages of the tunnel session. Many of these
  commands are called with environmental variables set, some of which
  can be controlled by the client," Stromberg wrote...

  Gert Doering, speaking on behalf of the OpenVPN open source community
  version...said, "always use client certificates, as the username
  verification script that is the attack vector here is only called
  after successful verification of a client cert."


 -Tom

-- 
Tom Metro
The Perl Shop, Newton, MA, USA
"Predictable On-demand Perl Consulting."
http://www.theperlshop.com/

Follow-Ups:
- [Discuss] Shellshock
  - From: tmetro+blu at gmail.com (Tom Metro)

Prev by Date: [Discuss] Server/laptop full-disk encryption
Next by Date: [Discuss] Shellshock
Previous by thread: [Discuss] Server/laptop full-disk encryption
Next by thread: [Discuss] Shellshock
Index(es):
- Date
- Thread


BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.