shellshocker!

Shellshock (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187) is an vulnerability in GNU's bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in the last 24 hours (See patch history), you're most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.


https://shellshocker.net/

First heartbleed and now this. It makes me wonder if open source is really something to be thought of as more trustworthy or secure.
I don't see how it would be any more secure if it were not free software.
Seems like a glaring hole, why wasn't it caught till now?
It doesn't say what the exploit actually is. Does anyone know? What is happening in the code that allows the remote command to be executed?

Good thing I use a rolling release distro. I had the fixed version of bash before I even saw this thread.
It allows execution of arbitrary code if any line of the input is processed by bash. Like: http://habrastorage.org/getpro/habr/post_images/0b5/852/324/0b5852324a42233f92d859a6a8ec99e6.png

Bash allows to export functions as enviroment variable. If you add specific symbols after function body and write a comand after then after export it would be called when interpreter is executed.

http://mashable.com/2014/09/26/what-is-shellshock/
If I recall, this was already deemed as not as big of a deal as it first sounds- attacks will be few and far between, because no one has actually developed a method to use this loophole yet. This isn't the case of exploits already being done- they haven't. Just update what's on your computer, and you'll be fine.

I recommend Secunia PSI- it was built for this exact purpose. Auto-updates all software on your computer when it can for the security updates, and tells you to update it manually when you can't.
It is not that bad as Heartbleed was but it is stil dangerous and by ESET data already exploited in the wild. Servers which use cgi module are potentionally compromised. Attacker makes use of the fact that Http request headers are exported as enviroment variables (which is the method of attack). Malicious script downloads some file, and executes it.
htirwin, what does it being open-source have to do with it?
With open source, anyone can study/analyze the code looking for vulnerabilities and a sly person can deliberately introduce vulnerabilities. The first thing is a double edged sword. The second thing is also true of closed source, but is probably much easier to do with open source software.

I used to think open source software is more trustworthy, because the source is there to read. If it contained malicious code, it would be spotted and reported. But the fact is that you can't trust software just because it's open source. Even extremely widespread and security critical software, lib-ssl, and bash, have had major vulnerabilities that went unreported for a long time. Bash was vulnerable for over 20 years. I would bet that intelligence agencies and high tech criminal organizations around the world had know about some of these bugs long before they are reported. And I am willing to bet that there are more and possibly worse bugs in widespread open source software being exploited, which as not yet been reported.

Would it be crazy to assume that almost all computers connected to the internet have undiscovered/unreported bug-backdoors?
htirwin: the vulnerability has existed for two decades. If you want to worry about someone slipping in the vulnerability, get a time machine.
It had to get in there somehow, and who's to say someone couldn't do it to a different, or the same, open source project in the future (and indeed that they haven't already).
The same goes for any software though. You shouldn't trust software for any circumstance. Having it open-source simply allows analysis yourself.

Proprietary software allows the same thing. People who know how to reverse engineer and manipulate things are going to figure it out anyways. Look at the guys who are constantly cracking games and software.

You can't say closed-source software prevents X when X still happens constantly.
closed account (EwCjE3v7)
I saw many people tweeting bout this, didnt know what it was till last night when I searched it up.

Anyone who has bash out there should check this out: https://www.digitalocean.com/community/tutorials/how-to-protect-your-server-against-the-shellshock-bash-vulnerability

Also I dont think it protects u fully, it just slows down the attacker, I believe
With open source, anyone can study/analyze the code looking for vulnerabilities and a sly person can deliberately introduce vulnerabilities

Same goes for good people. Two big vulnerabilities in OSS in the last two years. Don't think it's time to jump ship yet.

Would it be crazy to assume that almost all computers connected to the internet have undiscovered/unreported bug-backdoors?

Not crazy at all. That's the fact of software/computers. Doesn't matter whether it's open source, closed source, or some superposition of both.
ResidentBiscuit wrote:
some superposition of both.


That reminds me, anyone else see this?
http://www.cnet.com/news/scientists-make-quantum-leap-teleport-data-farther-than-ever-before/
That Article said:
An experimental setup for the University of Geneva's latest quantum teleportation achievement that we will not try to explain.

@Cheraphy: For some reason I spent about ten minutes laughing at this sentence. That truly made my morning.

Maybe being able to read an actual electronic schematic is why I don't think that this diagram is complicated? Yes I had to look up what PPKTP and PPLN stood for, I'm not a chemist, and I'm only reasonably certain that 'QWP' and 'HWP' are either signal processors or amplifiers based on where they are (it's a map of four devices after all). Otherwise a power source is a power source, wire and lenses aren't complicated and an Etalon is a component used in expensive lasers. That still leaves the 'PBS' which could be any number of things and the 'VBG' which I haven't the faintest idea about what it could be. So that's what, like four maybe five devices the author had to explain?

htirwin said:
Would it be crazy to assume that almost all computers connected to the internet have undiscovered/unreported bug-backdoors?

No this isn't crazy, in fact it would be pants-on-head retarded to assume the other way around.
Last edited on
So that's what, like four maybe five devices the author had to explain?

But you would still be left to explain what it does and how it works.
Topic archived. No new replies allowed.