Board indexTopical DiscussionComputers, Math, Science, and Technology

Bash Shellshock vulnerability

Page 1 of 1 [ 5 posts ] 

Previous topic | Next topic

FMX
Veteran
Veteran

User avatar

Joined: 16 Mar 2012
Gender: Male
Posts: 1,319

25 Sep 2014, 6:18 am

"Heartbleed" was bad, but "Shellshock" is, arguably, worse!

https://community.qualys.com/blogs/laws ... nerability

Apparently it was introduced 22 years ago in version 1.13! I know it's a complex piece of software and all, but the bug is not complex to exploit. It's hard to believe that nobody would have come across it, even by pure chance, in all that time or that nobody realised the implications when they did!


_________________
CloudFlare eating your posts? Try the Lazarus browser extension. See https://wp-fmx.github.io/WP/


TallyMan
Veteran
Veteran

User avatar

Joined: 30 Mar 2008
Gender: Male
Posts: 40,061

25 Sep 2014, 6:34 am

^ It has probably been used extensively for many years by the likes of the NSA/CIA as one of the many flaws enabling them to hack into computers world wide.


_________________
I've left WP indefinitely.


0_equals_true
Veteran
Veteran

User avatar

Joined: 5 Apr 2007
Age: 41
Gender: Male
Posts: 11,038
Location: London

26 Sep 2014, 4:51 pm

Btw the updates/patches shouldn't be treated a as complete solution. Further update may be forthcoming.

It is also worth updating bash individually to make sure.

Run this test

Code:
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"



0_equals_true
Veteran
Veteran

User avatar

Joined: 5 Apr 2007
Age: 41
Gender: Male
Posts: 11,038
Location: London

26 Sep 2014, 4:54 pm

FMX wrote:
Apparently it was introduced 22 years ago in version 1.13! I know it's a complex piece of software and all, but the bug is not complex to exploit. It's hard to believe that nobody would have come across it, even by pure chance, in all that time or that nobody realised the implications when they did!


That is hindsight though. If they didn't need to they they wouldn't, so it it would appeal to those looking for weaknesses. Yes it is possible that it has been know to some.



FMX
Veteran
Veteran

User avatar

Joined: 16 Mar 2012
Gender: Male
Posts: 1,319

27 Sep 2014, 6:46 am

I hope this bug has long-lasting implications on security design. Years from now, I see them teaching in computer security classes "... and this is another subtle example of mixing data (variable values) and code (functions)... it's not a problem - until it is!" I'm sure there are many lessons from this. None of them are actually new, but this might help to drive them home.


_________________
CloudFlare eating your posts? Try the Lazarus browser extension. See https://wp-fmx.github.io/WP/