Pinterest Stumbleupon Whatsapp
Advertisement

A serious security issue with the Bash shell – a major component of both most UNIX-like operating systems – has been discovered, with significant implications for computer security worldwide.

The issue is present in all versions of the Bash scripting language up to version 4.3, which effects a majority of Linux machines, and the entirety of computers running OS X. and can see an attacker exploiting this issue to launch their own code.

Curious about how it works and how to protect yourself? Read on for more information.

What Is Bash?

Bash (standing for Bourne Again Shell) is the default command line interpreter used on most Linux and BSD distributions, in addition to OS X. It is used as a method of launching programs, using system utilities and interacting with the underlying operating system by launching commands.

In addition, Bash (and most Unix shells) allow the scripting of UNIX functions in small scripts. Similarly to most programming languages – such as Python, JavaScript and CoffeeScript CoffeeScript Is JavaScript Without The Headaches CoffeeScript Is JavaScript Without The Headaches I've never really liked writing JavaScript all that much. From the day I wrote my first line using it, I've always resented that whatever I write in it always ends up looking like a Jackson... Read More – Bash supports features common with most programming languages, such as functions, variables and scope.

shellshock-bash

Advertisement

Bash is near ubiquitous, with many people using the term ’Bash’ to refer to all command line interfaces, regardless of whether they’re actually using the Bash shell. And if you’ve ever installed WordPress or Ghost through the command line Signed Up for SSH-only Web Hosting? Don't Worry - Easily Install Any Web Software Signed Up for SSH-only Web Hosting? Don't Worry - Easily Install Any Web Software Don’t know the first thing about operating Linux through its powerful command line? Worry no more. Read More , or tunneled your web traffic through SSH How to Tunnel Web Traffic with SSH Secure Shell How to Tunnel Web Traffic with SSH Secure Shell Read More , you’ve quite possibly used Bash.

It’s everywhere. Which makes this vulnerability all the more worrying.

Dissecting The Attack

The vulnerability – discovered by French security researcher Stéphane Chazleas – has caused a great deal of panic in Linux and Mac users worldwide, as well as attracted attention in the technology press. And for good reason too, as Shellshock could potentially see attackers gaining access to privileged systems and executing their own malicious code. It’s nasty.

But how does it work? At the lowest possible level, it exploits how environment variables work. These are used both by UNIX-like systems and Windows What Are Environment Variables & How Can I Use Them? [Windows] What Are Environment Variables & How Can I Use Them? [Windows] Every now and then I'll learn a little tip that makes me think "well, if I known that a year ago then it'd have saved me hours of time". I vividly remember learning how to... Read More to store values that are required for the computer to function properly. These are available globally available across the system and can either store a single value – such as the location of a folder or a number – or a function.

shellshock-env-vars

Functions are a concept that is found in software development. But what do they do? Simply put, they bundle a set of instructions (represented by lines of code), which can later be executed by either another program or a user.

The issue with the Bash interpreter lies in how it handles storing functions as environment variables. In Bash, the code found in functions is stored between a pair of curly braces. However, if an attacker leaves some Bash code outside of the curly brace, it will then be executed by the system. This leaves the system wide-open for a family of attacks known as code-injection attacks.

Researchers have already found potential attack vectors by exploiting how software such as the Apache web server How To Set Up An Apache Web Server In 3 Easy Steps How To Set Up An Apache Web Server In 3 Easy Steps Whatever the reason is, you may at some point want to get a web server going. Whether you want to give yourself remote access to certain pages or services, you want to get a community... Read More , and common UNIX utilities such as WGET Mastering Wget & Learning Some Neat Downloading Tricks Mastering Wget & Learning Some Neat Downloading Tricks Sometimes it's just not enough to save a website locally from your browser. Sometimes you need a little bit more power. For this, there's a neat little command line tool known as Wget. Wget is... Read More interact with the shell and use environment variables.

How Do You Test For It?

Curious to see if your system is vulnerable? Finding out is easy. Just open up a terminal, and type:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test”

If your system is vulnerable, it will then output:

vulnerable
 this is a test

Whilst an unaffected system will output:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
 bash: warning: x: ignoring function definition attempt
 bash: error importing function definition for `x'
 this is a test

How Do You Fix It?

By the time of publication, the bug – which was discovered on the 24th of September, 2014 – should have been fixed and patched. You simply need to update your system. Whilst Ubuntu and Ubuntu variants use Dash as their main shell, Bash is still used for some system functionality. As a result, you’d be well advised to update it. To do that, type:

sudo apt-get update
sudo apt-get upgrade

On Fedora and other Red Hat variants, type:

sudo yum update

Apple is yet to release a security fix for this, although if they do, they will release it through the app store. Ensure you are regularly checking for security updates.

shellshock-update

Chromebooks – which use Linux as their foundation, and can run most distros without much fuss How to Install Linux on a Chromebook How to Install Linux on a Chromebook Do you need Skype on your Chromebook? Do you miss not having access to games through Steam? Are you pining to use VLC Media Player? Then start using Linux on your Chromebook. Read More – use Bash for certain system functions and Dash as their main shell. Google should should update in due season.

What To Do If Your Distro Hasn’t Fixed Bash Yet

If your distro is yet to release a fix for Bash, you might want to either consider changing distributions, or installing a different shell.

I’d recommend beginners check out Fish Shell. This comes with a number of features that aren’t currently available in Bash and make it even more pleasant to work with Linux. These include autosuggestions, vibrant VGA colors and the ability to configure it from a web interface.

Fellow MakeUseOf author Andrew Bolster also recommends you check out zSH, which comes with tight integration with the Git version control system, as well as autocomplete.

The Scariest Linux Vulnerability Yet?

Shellshock has already been weaponized. Within one day of the vulnerability being disclosed to the world, it had already been used in the wild to compromise systems. More troublingly, it’s not just home users and businesses that are vulnerable. Security experts are predicting that the bug will also leave military and government systems at risk. It’s almost as nightmarish as Heartbleed was.

So, please. Update your systems, okay? Let me know how you get on, and your thoughts about this piece. Comments box is below.

Photo Credit:zanaca (IMG_3772.JPG)

Leave a Reply

Your email address will not be published. Required fields are marked *