Shellshock Expands
Posted: Sat Sep 27, 2014 10:35 pm
You may have heard of the "Shellshock" vulnerability. It was discovered early last week, although it's not really a bug per se. Unfortunately, it's exploitable and it may be in the process of being actively used in the wild.
The vulnerability consists of bash parsing a special string of characters ("(){}") and interpreting them as a function call, parsing the string, and running whatever command appears within it--but with the caveat that it must be supplied via an environment variable. Normally, this isn't a problem, but if bash is used as the shell Apache's APR encounters, or even some system calls, and an environment variable is set, whatever is in there will be executed. Since CGI (not the rendering--the Common Gateway Interface) passes headers sent by a client to the configured application as its environment, if that application runs bash in any way, shape, or form, it can be exploited.
In short, the vulnerability exists in the bash shell, which is widely installed, widely used, and exists in software across multiple operating systems (yes, even Windows). However, to exploit it requires the system to link the "default" system shell, /bin/sh, to bash; not all systems do. Debian and Ubuntu use the dash shell, as do others, FreeBSD uses tcsh by default, and other systems may differ. Arch Linux relies on bash by default, as do many other distributions--including some for embedded systems (which really ought to be using Busybox).
However, it was recently discovered that even qmail can be used as a vector, depending on user dot file configuration. This is because of the way qmail pipes unsanitized data received via SMTP: It's possible to coerce into passing these values as an environment variable which is then executed by bash. It's not that qmail is exploitable, but rather it's the fault of using qmail to access bash. Much in the way the humble ant can be manipulated by the liver fluke to infest herbivorous mammals so it can continue the remainder of its life cycle, so too is qmail harassed.
The reason I say this isn't a "bug" is because of its purpose. The (){} method of defining a function that is parsed by bash if placed in an environment variable was used as a mechanism for passing functions from the parent shell into a subshell. AFAIK, it was never intended to be exposed to (or used by) shell users. Rather, it's the fault of bash's internal plumbing for doing magical things. It just so happens that magic, sometimes, can be unpredictable and backfire.
If you're running Windows, it pains me to say this, but you most likely have nothing to worry about. Provided you don't have Git installed (and expose it), or have Cygwin, MINGW, or anything else that installs a copy of bash (and exposes it).
The vulnerability consists of bash parsing a special string of characters ("(){}") and interpreting them as a function call, parsing the string, and running whatever command appears within it--but with the caveat that it must be supplied via an environment variable. Normally, this isn't a problem, but if bash is used as the shell Apache's APR encounters, or even some system calls, and an environment variable is set, whatever is in there will be executed. Since CGI (not the rendering--the Common Gateway Interface) passes headers sent by a client to the configured application as its environment, if that application runs bash in any way, shape, or form, it can be exploited.
In short, the vulnerability exists in the bash shell, which is widely installed, widely used, and exists in software across multiple operating systems (yes, even Windows). However, to exploit it requires the system to link the "default" system shell, /bin/sh, to bash; not all systems do. Debian and Ubuntu use the dash shell, as do others, FreeBSD uses tcsh by default, and other systems may differ. Arch Linux relies on bash by default, as do many other distributions--including some for embedded systems (which really ought to be using Busybox).
However, it was recently discovered that even qmail can be used as a vector, depending on user dot file configuration. This is because of the way qmail pipes unsanitized data received via SMTP: It's possible to coerce into passing these values as an environment variable which is then executed by bash. It's not that qmail is exploitable, but rather it's the fault of using qmail to access bash. Much in the way the humble ant can be manipulated by the liver fluke to infest herbivorous mammals so it can continue the remainder of its life cycle, so too is qmail harassed.
The reason I say this isn't a "bug" is because of its purpose. The (){} method of defining a function that is parsed by bash if placed in an environment variable was used as a mechanism for passing functions from the parent shell into a subshell. AFAIK, it was never intended to be exposed to (or used by) shell users. Rather, it's the fault of bash's internal plumbing for doing magical things. It just so happens that magic, sometimes, can be unpredictable and backfire.
If you're running Windows, it pains me to say this, but you most likely have nothing to worry about. Provided you don't have Git installed (and expose it), or have Cygwin, MINGW, or anything else that installs a copy of bash (and exposes it).