How Poor Punctuation Can Break Windows

An anonymous reader writes with a report at Ars Technica about how a small bug can lead to a security problem. In this case, the problem is that quotation marks — or the lack of them — can be significant. From the Ars article: "The scenario... requires a 'standard' user with access rights to create a directory to a fileserver and an administrator executing a vulnerable script," Frank Lycops and Raf Cox, security researchers with The Security Factory, said in an e-mail interview. "This allows the attacker to gain the privileges of the user running the script, thus becoming an administrator." While the attack falls short of the severity of the Shellshock family of Linux shell vulnerabilities, the two researchers stressed that it's a good example of how untrusted input can be used to execute commands on a system. The researchers identified at least one popular script with the vulnerability. When the script attempts to set the starting directory for system administration work, it inadvertently runs the command appended to the malicious directory's name as well. ... The solution is to use proper coding practices—in this case, the judicious use of quotation marks. Quotation marks are used in the shell environment to make sure that the data inside the quotes is not interpreted by the program as a command.

oblg xkcd

We call him Little Billy Tables.

Re:oblg xkcd

[michelcolman]

Actually, it's Bobby Tables

Re:oblg xkcd

Actually, it's Robert'); DROP TABLE Students;--
+++NO CARRIER

Re:oblg xkcd

That's his older brother.

Shellshock is way worse

Yeah, if you trick an administrator into running a script or program you can do all kinds of things.

On the other hand you can do much worse on Linux using Bash to remotely gain control to a system with no administrator action required.

Linux wins again.

2015 will be the year of Linux on the desktop because nobody trusts Linux servers.

Re:Shellshock is way worse

[binarylarry]

Ideally you weren't running Apache or Nginx as root.

Re:Shellshock is way worse

If you read the article (even the summary) you can see this isn't about tricking an admin into running a script. This is about a script already set to say, list a set of directories and do something per directory, but if a user names a directory FOO&BAR the script will interpret BAR as a command instead of input.

Re:Shellshock is way worse

[BronsCon]

On the other hand you could do much worse on Linux using Bash to remotely gain control to a system with no administrator action required.

... but it was patched in under a week. The sysadmins who haven't applied the patches (which didn't require a reboot, or even so much as reloading the shell after installation) are the same ones who run Windows boxes so far behind on patches they're still remotely exploitable, too. Hell, they probably run Apache on Cygwin on Windows and never patched that, making their Windows box vulnerable to Shellshock. That's possible because, guess what, Bash isn't Linux and, in fact, predates Linux; Bash runs on *every* OS. Yes, even the iPhone can run Bash if you jailbreak it.

For the record, Yahoo, running FreeBSD, was compromised via Shellshock. Apple's Darwin kernel, which both OSX and iOS run on top of, was forked from the very same kernel Yahoo's servers run, and yes, OSX Yosemite is still waiting for a patch for Heartbleed, which means I have to keep a large number of services I'd like to be running disabled for the time being. My Linux servers, though, were all patched within hours; when an alternate exploit was found, they were once again patched in hours. I'm not even sure the Windows POSIX layers have released patched builds yet, so at this point Windows systems are more vulnerable to this than anything other production system (Yodsemite is still in beta, remember); fortunately, I don't run a POSIX layer on my Windows dev box.

Re:Shellshock is way worse

[the_B0fh]

Reading's over rated if all OP wanted to do was rant and dump on Linux...

Re:Shellshock is way worse

[Toreo+asesino]

This "patched within hours" is a bit of a false economy if you need to test your apps aren't going to be negatively impacted. If you don't care or just want to live the dream then yeah, otherwise the real world is a bit more complicated than that. The fact the patch needed patching in itself suggest some testing will be needed if you care about top-to-bottom stability.

Re:Shellshock is way worse

For the record, Yahoo, running FreeBSD, was compromised via Shellshock.

When stating for the record, you should probably get it right. Yahoo's systems were _not_ compromised via the bash bug; they were compromised via some poorly written script that either was written in part as a shell script, or passed an unquoted header or query value to a subprocess, a la system(3) or popen(3). For the Record, FreeBSD does not use bash for /bin/sh.

Apple's Darwin kernel, which both OSX and iOS run on top of, was forked from the very same kernel Yahoo's servers run

Apple's Darwin kernel was not forked from FreeBSD. A quick web search could have told you that.

I'm not disagreeing with your point; only with the misinformation supplied as given in your validating arguments.

Re:Shellshock is way worse

if your programs rely on undocumented behavior they deserve to lose.

Re:Shellshock is way worse

[ReeceTarbert]

For the record, Yahoo, running FreeBSD, was compromised via Shellshock.

No, not really:

Earlier today, we reported that we isolated a handful of servers that were detected to have been impacted by a security flaw. After investigating the situation fully, it turns out that the servers were in fact not affected by Shellshock.

Also, are you sure that Yahoo is running FreeBSD on every server? I can't find anything more recent than this piece from 2011, but it would appear that 75% of Yahoo’s Web sites and services run on Linux".

RT.

Re: Shellshock is way worse

it is GNU BASH Shellshock that is the common component. There, fixed it for Mr Stallman.

Re:Shellshock is way worse

[BronsCon]

The patch didn't need patching, there were two separate exploits, one discovered during a decode review prompted by the other. There were actually 6 CVEs published about this, all of which can be found here. Might want to get your facts straight before you spout off.

If your applications are passing executable code as user-specifiable data that then gets passed as environment variables to a forked process that then spawns a system call eventually involving Bash, then you should be glad the patch broke it, as it just revealed a massive security vulnerability within your application. If you need that application to remain functional while you patch the issue, roll back to the previous version of Bash and work under the assumption that the gaping security hole that you're calling an application has already been compromised, because what it's doing is so much worse than Shellshock. More to the point, if your application were passing executable code or commands in this manner, the likely scenario is that you have some sort of command processor on the other end parsing and executing them; if you're exploiting Shellshock to accomplish this, you deserve prison time for gross negligence for A) incorporating the vulnerability into your application and B) not disclosing it so it could be patched.

At any rate, it's not a Linux issue, it's a Bash issue. Again, since Bash can run on *anything*, that makes it and "anything running Bash" issue, including your precious Windows in the majority of server environments, where a POSIX layer like Cygwin or MinGW (both of which include Bash) is likely to be in use.

Furthermore, simply having Bash installed does not make a system vulnerable; there has to be some service listening that passes unsanitized user-specified data as environment variables to a system call eventually handled by Bash. So surprisingly few competently written applications do this; GNU dhcpd was one, I'll give you that if you can give me another.

Re:Shellshock is way worse

[BronsCon]

Wow, did I really type "decode review". Shit. Well, you all know what I meant, anyway.

Re:Shellshock is way worse

Any decent Linux distro long ago moved from /bin/sh => bash to a real Bourne shell and was not vulnerable unless there was some script that used an explicit #!/bin/bash. Any other Unixy OS that was using /bin/sh => bash or explicitly had some #!/bin/bash hooked into a network service had the same problem - so its not a Linux thing.

You seem to be one that was possibly not using a decent Linux distro or OS.

Re:Shellshock is way worse

[BronsCon]

Thanks for the correction, I've been busy with product launches for the past 2 weeks so I haven't kept up.

Re:Shellshock is way worse

[dgatwood]

OSX Yosemite is still waiting for a patch for Heartbleed...

Before they can ship a patch, Apple would first have to ship an affected version of OpenSSL. For binary compatibility reasons, Apple never moved its OpenSSL libraries off of the 0.9.x branch. Currently, Yosemite ships with version 0.9.8za. The first version of OpenSSL affected by Heartbleed was 1.0.1.

...which means I have to keep a large number of services I'd like to be running disabled for the time being.

In other words, unless you installed an affected version of OpenSSL (in which case you will have to install an update yourself), it is safe to turn those services back on, and it always has been.

Re:Shellshock is way worse

[BronsCon]

I meant Shellshock, which you probably could have guessed from context. My bad.

Re:Shellshock is way worse

[BronsCon]

Yahoo's systems were _not_ compromised via the bash bug

This is what was being reported before I entered into two weeks of product launches that have kept me from following up. I'd thank you for the correction but you're a bit late with it, another poster already corrected me, and with much less snark.

FreeBSD does not use bash for /bin/sh

But that doesn't stop a sysadmin from changing that behavior, just as Unbuntu defaulting to Bash didn't stop me from swapping it our in favor of Dash. Just a matter of deleting the old binary and symlinking to the new one.

Apple's Darwin kernel was not forked from FreeBSD.

Oh, but it was! In fact, Darwin 7.0 (OSX 10.3) brought Darwin's BSD layer back in sync with FreeBSD 5. There was, indeed, a lot of reimplementation at the kernel level, and most of the userland tools had many parts rewritten as well, but your own source confirms what I have said. It confirmed it before I posted it originally, as well. In case that's not enough, here's another, and another, and, for good measure, one more, though that last one only mentions the use of BSD's userland components.

Re:Shellshock is way worse

[dgatwood]

Ah. They do have an update for that one. Apple didn't release the update through their normal Software Update mechanism because users aren't likely to be affected by it unless they're fairly advanced server users, but they did release a software update for it about two weeks ago. You can download it here.

Re:Shellshock is way worse

[sexconker]

If you read the article (even the summary) you can see this isn't about tricking an admin into running a script. This is about a script already set to say, list a set of directories and do something per directory, but if a user names a directory FOO&BAR the script will interpret BAR as a command instead of input.

If a normal user has read access to a maintenance script to know that this is possible, you've already failed.
If your maintenance script doesn't enclose paths and variables containing them with quotation marks, you've already failed.
There's a reason MS isn't going to patch it - the problem is in your scripts.

Re:Shellshock is way worse

[gweihir]

Fortunately, nobody in the industry listens to crackpots like you.

Re:Shellshock is way worse

[BronsCon]

Yosemite beta not listed, update refusing to install. Like I said.

Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5

Re:Shellshock is way worse

[BronsCon]

Heh, looks like they did push an update for Yosemite on the 30th, too bad it's incomplete: Still vulnerable to exploit 7 on this page.

Re:Shellshock is way worse

[MisterSquid]

So surprisingly few competently written applications do this; GNU dhcpd was one, I'll give you that if you can give me another.

A Leopard (Mac OS X v.10.5.8) web server (Apache) I admin was defaced a few days after the exploit was announced.

Totally my fault for not immediately securing BASH, but yeah, I'm pretty sure the cgi scripts authored by MovableType (3.x) make calls to /bin/sh.

I do consider MovableType to be competently written. The reality is that the Shellshock vulnerability was something no one was really thinking about and it took many admins and even highly technical groups of people by surprise.*

* Whatever you think of Yahoo! their engineers and admins are highly technical. Shellshock is just a very nasty bug.

Re:Shellshock is way worse

[BronsCon]

You would have had to build a patched Bash from scratch on that system to secure it, as Apple only released patches for 10.7-10.9. Even if you were running a more recent version of OSX, you'd still have had to build it yourself to patch it *in time*. I'm really disappointed in Apple's response to this.

I never said no competently written code was affected, just that examples are exceedingly rare. Moreso, Toreo asesino's example was an application breaking as a result of patching this vulnerability, which would seem to indicate that said application was exploiting the vulnerability in the first place; zero competently written applications do that.

Re:Shellshock is way worse

[maligor]

Oh, but it was! In fact, Darwin 7.0 (OSX 10.3) brought Darwin's BSD layer back in sync with FreeBSD 5. There was, indeed, a lot of reimplementation at the kernel level, and most of the userland tools had many parts rewritten as well, but your own source confirms what I have said. It confirmed it before I posted it originally, as well. In case that's not enough, here's another, and another, and, for good measure, one more, though that last one only mentions the use of BSD's userland components.

None of those sources say that Darwin was forked off of FreeBSD kernel. You must realize that a fork implies a shared root source tree, copying subsystems does not qualify as a fork. They do qualify as forks of the specific subsystems, but not the kernel.

That said, I've never been bothered to look at either FreeBSD or Darwin kernel sources, so for all I know FreeBSD might be based on AmigaOS.

Re:Shellshock is way worse

[BronsCon]

From the FreeDSB Wikipedia page:

Darwin, the core of Apple OS X, includes a virtual file system and network stack derived from the FreeBSD virtual file system and network stack

The network stack and VFS are kernel components. Other than that, though, you are correct, Darwin's kernel is XNU. But, wait a minute...

Originally developed by NeXT for the NeXTSTEP operating system, XNU was a hybrid kernel combining version 2.5 of the Mach kernel developed at Carnegie Mellon University with components from 4.3BSD and an Objective-C API for writing drivers called Driver Kit.

It seems that XNU is derived from BSD, alongside components from two other kernels.

After Apple acquired NeXT, the Mach component was upgraded to 3.0, the BSD components were upgraded with code from the FreeBSD project and the Driver Kit was replaced with a C++ API for writing drivers called I/O Kit.

Specifically, FreeBSD, after Apple took it over.

Re:Shellshock is way worse

[El_Oscuro]

Windows has its own version of shellshock in CMD.EXE C:\Usersl>set foo=bar^&ping -n 1 google.com
C:\Usersl>echo %foo%
bar

Pinging google.com [74.125.228.105] with 32 bytes of data:
Reply from 74.125.228.105: bytes=32 time=8ms TTL=250

Ping statistics for 74.125.228.105:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 8ms, Maximum = 8ms, Average = 8ms
C:\Users>
Unlike Linux, I don't think this has been patched.

Re:Shellshock is way worse

[BronsCon]

Holy shit if that's legit it's fucking amazing... booting my Win dev box now

Re:Shellshock is way worse

[BronsCon]

Hahahahahaha that's awesome! Now, does IIS pass headers along to CGI scripts the same way Apache does?

Re:Shellshock is way worse

Maybe you really meant double-ended code review? (think deque) Most code reviews result in the reviewers saying WTF after reading the code. Perhaps in your newly coined "decode review," the reviewers say WTF both before and after the review?

(_8(|) doh

Re:Shellshock is way worse

One difference between this and ShellShock is that CMD has been effectively deprecated in favor of PowerShell since about 2006. Bash and CMD are children of the same generation, but Bash is still hanging out on the street corner smoking Kools and giving hand jobs for $5 a pop.

Re:Shellshock is way worse

I need to be at the gym in 26 minutes...

Re:Shellshock is way worse

does IIS pass headers along to CGI scripts the same way Apache does?

Are you fucking kidding? You get them out of a collection that's a property on the request object. They aren't shat into arbitrary fucking shell environment variables, like someone's freshman year CompSci project. Grow up!

Re:Shellshock is way worse

[benjymouse]

does IIS pass headers along to CGI scripts the same way Apache does?

Are you fucking kidding? You get them out of a collection that's a property on the request object. They aren't shat into arbitrary fucking shell environment variables, like someone's freshman year CompSci project. Grow up!

I believe that it is the CGI specification that requires parameters to be passed as environment variables. So if you use CGI on IIS it should work the same way.

That would not trigger this issue, however, as it requires some script to expand the environment variable and it is not an automatic braindead expansion like in bash. The most common environment variables to be expanded %WINDIR%, %USERNAME% and the like. Not ever have I seen someone write %HTTP_USER_AGENT% or any other %HTTP_*% expansion. There's no systemic failure as with bash Shellshock.

But to be fair, it *does* look like an injection vector. Yes, GGP blatantly ignored that the claim I made was about PowerShell - not cmd.exe - but there seems to be an issue, and it just reinforces my point that shells (i.e. Windows shells included) that conflate text and instructions are error prone by default.

Re:Shellshock is way worse

[BronsCon]

I'm not seeing another post from you in this thread... What claim did you make? I think we're in agreement, though; by necessity, shells give you all kinds of ways to hang yourself, most of which are in o way obvious to an unseasoned user. That's just the price of the added power and control, and it comes with a responsibility to learn your tools and lear and afollow best practices when developing on or for an environment that makes use of a shell, whether you're using that shell directly or not. Best practices, like sanitizing your inputs, mitigate this on all platforms.

Re:Shellshock is way worse

Bash is still hanging out on the street corner smoking Kools and giving hand jobs for $5 a pop.

But, bash will fuck you up the arse for free!

Re: Shellshock is way worse

RHEL. I don't like it, but you might notice that it's in use by pretty much everyone who employs more than a couple of people.

News at 11

Vulnerable script written by incompetent administrator leads to privilege escalation exploit. News at 11.

Yawn

[Luckyo]

So if you can get admin to run a script, you can own a machine.

News at 11.

Seriously, this is slashdot. We know that if you have admin to get to run a script, you can own the machine.

Re:Yawn

[Munchr]

This reminds me of Raymond Chen's oft-used Hitchhiker's quote: "It rather involved being on the other side of this airtight hatchway."

Re:Yawn

[drolli]

Moreover, that missing quotation marks in scripted languages are a problem is basic knowledge.

Re:Yawn

[nmb3000]

While this article did kinda make me roll my eyes, it's not quite as simple as that.

The basic idea they're saying is that if a user can create a directory with an arbitrary name (which is normal for a file-server), and that later on an Admin runs a maintenance script which doesn't quote input correctly, arbitrary user commands can be executed with administrative permissions.

So user does:

D:\Users\b\bob123> md "Foo&evil_command"

Days, weeks, months later, an admin decides to run a cleanup/repoting batch file that was written in 1996:

D:\Users> C:\Scripts\cleanup.bat

If the script descends into the filesystem and somewhere in that script is the line: SET CurDir=%CD%, then the effective command SET CurDir=Foo&evil_command is executed.

The end result is that evil_command is invoked by the admin. If the admin is a domain admin and that command happened to be net localgroup "Domain Admins" domain\bob123 /domain, then bob has just been added to the Domain Admins group.

It's an absurdly tiny problem compared to the Bash shell exploit, but it is in fact a violation of security boundaries. Raymond's airtight hatchway stories are when no boundary has been crossed.

Re:Yawn

[complete+loony]

$ echo "" > "-rf"

$ rm *

It doesn't help that the default way the shell processes filenames through glob patterns and command line tab-completion can leave you vulnerable to these kinds of issues.

Problematic for Linux too

[jones_supa]

This is also the reason why I cringe when the backend of Linux distros is often woven together with shell scripts. You have to be super careful to write code with proper input validation, and all the related tools must retain their interfaces or you get weird "Invalid argument" type of breakage. Then there are things like Shellshock which immediately made the dhclient script vulnerable. It's all just too dangerous. And I didn't even begin to talk about the slow parsing of scripts and the forking overhead of every little process the script calls.

Re:Problematic for Linux too

[bruce_the_loon]

At least you can diagnose and fix issues with shell scripts with vi and a bit of knowledge. Try that with a binary blob that stores its data in a binary store.

Re:Problematic for Linux too

[phantomfive]

And I didn't even begin to talk about the slow parsing of scripts and the forking overhead of every little process the script calls.

Do you know how long it takes to fork a process? You clearly don't otherwise you wouldn't begin to mention it, let alone begin to talk about it.

Re:Problematic for Linux too

This is also the reason why I cringe when the backend of Linux distros is often woven together with shell scripts. You have to be super careful to write code with proper input validation, and all the related tools must retain their interfaces or you get weird "Invalid argument" type of breakage. Then there are things like Shellshock which immediately made the dhclient script vulnerable. It's all just too dangerous. And I didn't even begin to talk about the slow parsing of scripts and the forking overhead of every little process the script calls.

We just need to replace Linux in it's entirety with systemd, and then get rid of administrators entirely. Problem solved.
A well implemented OS shouldn't require any knowledge of proper administration, right? We can trust vendors to do that for us.

Re:Problematic for Linux too

[TechyImmigrant]

At least you can diagnose and fix issues with shell scripts with vi and a bit of knowledge. Try that with a binary blob that stores its data in a binary store.

Well with the source code of the binary blob, you could diagnose and fix issues with vi and a bit of knowledge.

Re:Problematic for Linux too

This comment wins.

Re:Problematic for Linux too

[Richy_T]

There are many interpreted languages for which this is also true. The problem is with the laxness of the shell scripting interpreters which have been stretched way beyond simple task automation. Though even the simple task automation has issues.

It's understandable, having to rm 'file.txt' seems like an imposition when it's clear you're talking about just file.txt but as soon as you start having ambiguities caused by things which have semantic meaning to the shell being allowed in file names, you open things up for screwiness. Interpolation (as useful as it is) also introduces similar issues.

Re:Problematic for Linux too

Do you know how long it takes to fork a process? You clearly don't otherwise you wouldn't begin to mention it, let alone begin to talk about it.

It takes so long that test/[ and arithmetic and I believe even "if" (would have to check old UNIX code) have steadily become built-ins instead of external commands.

Now, it depends what the script is doing, but ESPECIALLY with loops, you want built-in arithmetic and not have to shell out
to expr or bc or awk or what-have-you.

Yes, it does matter. So much so that UNIX shells have evolved away from processes (the UNIX way) and instead built-ins
are what all modern shell-scripting teachers advise unless you absolutely have to be portable to ancient systems where there may not be a modern shell with built-ins available (e.g. a configure script, config.guess, things of that nature)......even then,
you likely generate or meta-program the script from some pre-processor language, and people rarely write a shell script
on their own that is old-fashioned and uses external commands for everything.

Yes, it does matter, that is the modern state of shells, that built-ins are used for what used to be external commands.

Now, how much does it matter is another question, but empirical evidence shows that shells have steadily drifted AWAY from
external processes in favor of built-ins.

Re:Problematic for Linux too

[bruce_the_loon]

If you could point us to the source code of the Windows services manager engine, we'd appreciate it. :)

Quotes

[sqlrob]

Quotation marks are used in the shell environment to make sure that the data inside the quotes is not interpreted by the program as a command.

Except in the cases it triggers the exploit. IMHO, that's the newsworthy bit of this.

Not quoting causes issues is news along the same level as "water is wet". Trying to be secure and breaking things? That's big. At least it's not possible with filenames.

Re:Quotes

At least it's not possible with filenames.

Did someone actually verify that?
IIRC you could create filenames containing characters illegal in win32 through the POSIX subsystem (SFU/SUA/whateveritscalledthisyear) on a NTFS volume... wouldn't be all that surprised if that also included directories with "s in their name.

Re:Quotes

[sqlrob]

I wonder how many still have that subsystem, since it became optional. But then again, that's something that might reasonably be installed on a server. If I had it installed, I'd give it a try. .Net definitely fails on a normal system, I don't feel like fudging around enough to try NtCreateDirectory.

Re:Quotes

It's not illegal to have an ampersand in a filename anyway.

But I tested it myself - created a file called "balls & ping 127.0.0.1", and then tried to have a command misinterpret it:

for %x in (*) do echo %x

This did not trigger the bug. The description seemed to rely on environment variables (doing something daft like "set currentdir=%cd%" rather than just using pushd/popd).

Re:Quotes

news along the same level as "water is wet".

Or even:

        "Not quoting causes issues" is news along the same level as "water is wet."

Security 101

Running unsanitized input as shell commands as root may lead to compromised systems. News at 11.

Windows should never have allowed spaces...

... in filenames. They are and were fundamentally incompatible with DOS-based shells or anything derived from them.

Re:Windows should never have allowed spaces...

[sqlrob]

So? Same problem exists in bash and friends too. Heck, there's a version of iTunes on Mac that would wipe your drive if you had a space in the volume name.

Re:Windows should never have allowed spaces...

[tlhIngan]

Heck, there's a version of iTunes on Mac that would wipe your drive if you had a space in the volume name.

That seems like something that would've been caught early on - given the default volume name of most Macs is "Macintosh HD".

And one reason you have "Program Files" in Windows is just that - to break scripts and other tools who can't handle spaces. Likewise "Documents and Settings" (renamed Users since Vista).

Re:Windows should never have allowed spaces...

[VGPowerlord]

And one reason you have "Program Files" in Windows is just that - to break scripts and other tools who can't handle spaces. Likewise "Documents and Settings" (renamed Users since Vista).

Except that they appear as Progra~1 and Docume~1 to programs that don't support long filenames.

Very fitting

Not for nothing a large percentage of coders out there are incapable of discerning when to use "its" or "it's".

OMG, this is AWFUL!!!

[QuietLagoon]

If the admin runs a buggy script on a system, it is possible to jeopardise the integrity of that system!!!

.
I am shocked!! SHOCKED, I say!!!!!!

Have /. really sunk so low that hyped-up articles like the one quoted are now newsworthy?

10 year old story

Ditto. I heard it before, with relation to Win95/Me. Ha!

Linux shell vulnerabilities

[fisted]

I like how they call the bash vulnerabilities``Linux shell vulnerabilities''. Like that was somehow Linux' fault, or any other shell was affected.
0/10 wouldn't read again.

Disclaimer: I run a BSD and my bash sure as hell was affected.

DWP

[pigsycyberbully]

We placed a vacancy in the U.K., on the DWP/work "programme" system which was running Linux Ubuntu, which was set up to be used by clients just like a Internet cafe. Anyway out of curiosity I pushed Ctrl + Alt + F12 and then F10 which drop me to a terminal. I did a ( ls ) and I could see there was a program available called "setup" I run the program setup it said it was running but nothing happened so I tried it again and pushed Ctrl + Alt + F1 to quickly popped back into the desktop "Unity" and the setup program suddenly started running with many options it asked me did I want to use a password or a key for SSH so I selected the option no password no key and opened it up to the Internet? It also had the option to put a password in for when the system is rebooted so I put in a password. Which means they will have to put in a password for network? I forgot to tell anybody the password. For placing a vacancy I had to pay for each word I typed! totally ridiculous. Anyway what is this setup program?

Slashdot just jumped the shark.

I've seen some stupid Windows-bashing shit on /. through the years, but this takes the cake. Congratulations timothy, you've proven beyond a doubt that you're a moron.

Eats, shoots and leaves.

[fahrbot-bot]

Misplaced punctuation can cause trouble. From: Eats, shoots and leaves:

A panda walks into a café. He orders a sandwich, eats it, then draws a gun and proceeds to fire it at the other patrons.

"Why?" asks the confused, surviving waiter amidst the carnage, as the panda makes towards the exit. The panda produces a badly punctuated wildlife manual and tosses it over his shoulder.

"Well, I'm a panda," he says. "Look it up."

The waiter turns to the relevant entry in the manual and, sure enough, finds an explanation. "Panda. Large black-and-white bear-like mammal, native to China. Eats, shoots and leaves."

Assumptions

[93+Escort+Wagon]

The solution is to use proper coding practices—in this case, the judicious use of quotation marks. Quotation marks are used in the shell environment to make sure that the data inside the quotes is not interpreted by the program as a command.

The solution is to never make assumptions about input that's being provided by an unknown user. It doesn't matter if we're talking about shellshock, or sql back ends, or powershell scripts - you simply can't assume your users are all good hearted and/or competent.

By the way, given they likely only went looking for similar Windows related bugs after shellshock became known - this vulnerability was a pretty good catch.

Re:Assumptions

[i.r.id10t]

Never trust any user or environment supplied stuff, always validate everything.

Signed,

Little Bobby Tables

How Poor Punctuation Can Break Windows ..

This is slashdot.
BUT, my first thought went to that wkward moment last spring, saying to my neighbor
"Hey! Is our new psycho, the rapist, your daughter?"
I wanted to say psychotherapist, but my punctuation was poor.
So was the glass on my windows. We still have that granite-cube-paved walkway.

print0

[benjymouse]

It is the exact same type of vulnerability that have existed in other weakly-typed shells since their inception. This is the reason why you should use -print0 with find before passing it to any other program: If you do not you risk that the filename is an injection attack.

The culprit is the idea that a shell is just some form of text interpreter that will interpret anything that is text. There is no semantic separation of "text" and "executable".

Unfortunately, this "code is just text" has become so entrenched in shell scripting that it is vulnerabilities waiting to happen. Process substitution, subshells etc all rely on this very property.

At least with PowerShell there is no such stupidity. In PowerShell you have to indicate specifically each time you want text interpreted and executed. PowerShell script block is a separate type (actually, a lambda) from text, integers, dates, decimals etc. The ease of how you pass executable content (script blocks) even over the network removes most reasons to interpret text as executable commands.

Re:print0

No such stupidity? http://it.slashdot.org/comment...

And god knows how many others there are in that proprietary heap of dung.

Re:print0

At least with PowerShell there is no such stupidity.

Windows has its own version of shellshock in CMD.EXE

I didn't know cmd.exe was the same as powershell.

Re:print0

I call BS moron:
PS D:\users\scripts\Powershell> set foo=bar^&ping -n 1 google.com
At line:1 char:13
+ set foo=bar^&ping -n 1 google.com
+ ~
The ampersand (&) character is not allowed. The & operator is reserved for future use; wrap an ampersand in double quotation mar
("&") to pass it as part of a string.
        + CategoryInfo : ParserError: (:) [], ParentContainsErrorRecordException
        + FullyQualifiedErrorId : AmpersandNotAllowed

Not in command.com

Cmd.exe is vulnerable, but command.com is not. Looks like a regression.

In the end, you can't keep users from doing harm.

It all boils down to the simple fact that as long as there are users, it will be possible to gain unauthorized access to any system. They can keep trying to make changes that prevent this kind of thing from happening, but even duct tape can't fix stupid. If it weren't for users, I wouldn't have a job.

That's actually very old...

[Casandro]

... and the reason why on other operating systems you have to escape spaces every time. This way you cannot have the ambiguity if you mean a path with a space, or a program and then a parameter.

That's not a solution

[jbmartin6]

The solution is to use proper coding practices

This approach is partly why breaches continue to happen. Imagining that somehow many thousands of coders will always do things right over many thousands of projects is the stuff dreams are made of. An actual effective solution would be to provide an environment where the application coder can't screw it up.

Separation of Code and Data

Yes, the problem is that shell scripts are just bad. Most compiled languages go out of their way to separate code and data, so as to avoid having data that is executed. The one exception to this is stack space which the CPU uses for code (namely the return address of function calls) and yet languages insist on also storing data there, which then leads to the common buffer overflow exploit. Aside from that, they're pretty good about putting code in code segments and data in non-executable segments. The only real failing there is that, despite non-executable stack segments, CPUs effective execute them anyway when they allow data in the stack segment to tell the CPU which code to execute next.

Shell scripts, on the other hand, try to mix up code and data as much as possible. Like in your example, obviously the "*" is meant to tell the shell to give the "rm" command some data (a bunch of file names), but that data will happily be interpreted as commands. Not only should it be quoting the file names and specifying them as pathnames (either beginning with "/" or "./") but the "rm" command and everything else should be complaining when it receives unquoted file names since file names are data yet they were input as if they were code. ...and of course, the individual commands never even see the quotation marks and so they couldn't complain about such things if they wanted to.

Shell scripts really are a good example of how not to design a safe programming language. Hell, even to this day, every time I type "mv this_file that_file some_folder" I'm nervous as fuck between typing "that_file" and "some_folder" that I might accidentally hit the enter key, especially if the folder name starts with a capital letter, as it'll erase "that_file" when it overwrites it with "this_file." The destination really should come first in order to prevent such accidents, but people can't seem to wrap their heads around "destination first" even though they do it that way every time they type "a = b + c."

Hilarious

[Toreo+asesino]

I love the fact you try to equate Windows and Linux for this epic bug as if they're both as vulnerable. Really, it's hilarious. Technically you're right but we both know absolutely nobody except *NIX fans run bash on Windows. Ok maybe a bit more but still, your attempts to divert negative PR gave me quite the chuckle.

Re: Hilarious

[BronsCon]

Am I attempting to divert negative PR, or am I simply stating facts? Did I say bithe are equally vulnerable, or are you making shit up in an attempt to discredit me?

I don't have a dog in this race, I use Windows, OSX, and Linux in roughly equal proportions. More people run POSIX layers on their Windows servers than you likely realize; in the hosting world, you give your users what they want, and users want to run that prewritten PHP script that relies on some UNIX userland element that Windows doesn't provide, and some subset want to run it on Windows. Hosts offering a Windows solution often install MSYS/MinGW by default to cut down on support calls for rhese scenarios, so the incidence of it being installed will naturally be higher than the incidence of it being necessary.

Also... give this a try on your Windows machine:
C:\Usersl>set foo=bar^&ping -n 1 google.com
C:\Usersl>echo %foo%

Seems as though you don't need Bash for Windows to be vulnerable, after all. C U Next (patch) Tuesday.

Re: Hilarious

Uh PowerShell has been the scripting language of choice on Windows for almost a decade. No one writes shell scripts with CMD (which came out at the same time as bash) which is why they made PowerShell in the first place.

Cygwin? Do they even still update that anymore? I wouldn't know because again I've never seen a production Windows server use it in almost a decade. PHP runs native in IIS and most mature scripts no longer require UNIX userland anything. Hell, even script kiddies use PHP scripts that work in both *NIX and Windows environments because they can't depend on bash ever being there. In the hosting world, if you need Linux elements you just use a VM like everyone else has since 2005. I think you're servers or hosting providers are just outdated.

Re: Hilarious

[Toreo+asesino]

CMD is a skin-deep DOS emulator used by approximately zero applications these days, unlike say Apache & bash. So again, you attempts to equate risks here really seem desperate and again, most amusing.

Also if I'm not mistaken POSIX in Windows has been depreciated for a while, albeit still possible to install. Welcome to the crazy world of PowerShell my friend!

Keep flogging that dead horse though - surely it's got some life it in yet! You're right; ShellShock really is as bad a ball-ache in Windows as *nix, no really!

Re: Hilarious

[BronsCon]

I'll repeat the question (and correct a typo; thanks, autocorrect):

Did I say both are equally vulnerable, or are you making shit up in an attempt to discredit me?

Of course, I'm repeating this in response to this bit of snark:

You're right; ShellShock really is as bad a ball-ache in Windows as *nix, no really!

It was originally said in response to this bullshit:

I love the fact you try to equate Windows and Linux for this epic bug as if they're both as vulnerable.

In case you missed the question the first two times, here it is again:

Did I say both are equally vulnerable, or are you making shit up in an attempt to discredit me?

And, in case you decide to say something along the lines of "Yes, you said both are equally vulnerable" I might ask that you quote me.

PROTIP: You won't be able to, because I never said it. If you want to win an argument with me, you have to attack what I'm actually saying; the minute you start attacking what you say I said, you've already lost. You're attacking your own words, not mine. Game. Set. Match.

Re: Hilarious

[BronsCon]

You are correct, Cygwin hasn't seen an update since December 2009. However, I said MinGW, which has been updated a bit more recently. Please don't make assumptions about what I run and how I administer my systems based on my stated observations of the *rest* of the industry; you'll note that I said, and I quote:

I use Windows, OSX, and Linux in roughly equal proportions

Which probably means I use Windows where I need Windows and I use Linux where I need Linux; OSX is my desktop of choice at the moment, though that is subject to change, as it has changed a number of times over the past 20 years. That doesn't change the fact that I see a fair number of shared hosting providers (of which I am not one) running MinGW on Windows as a means to reduce the incidence of having to tell a customer who insists on using Windows they have to switch to Linux hosting to do what they want. I'm not saying this is the correct way that the user should be running their site, just that yes, less administratively-inclined users sometime make ridiculous demands that you, as a business owner, must bend over and cater to if you want their money. If you simply tell them "You have to move to Linux hosting if you want to do that", they'll tell you when you can deactivate their account after they find a host who'll make it work on Windows. That's how the shared hosting market currently works; there are a million providers and, no matter how ridiculous one's requirements, at least thousands of those millions will cater to those needs without a second though as long as the bill is getting paid.

My best friend got tired of it and sold his hosting company last year, after a very successful 13 year run. As a customer of his (who did not make such ridiculous demands; rather, I opted for Linux hosting, as that's what I needed) for several years, I volunteered my time in his support chat (a few hours a week, whenever I was bored, usually while BSing with him in the evenings) and fielded quite a number of these ridiculous requests (anything at that level of ridicule was beyond my power, as a volunteer, to handle and was forwarded to him) so I can tell you first hand, the idiots who want to do something like this are not only out there, they're plentiful.

Re: Hilarious

[Toreo+asesino]

Oh alright, here you go then:

...since Bash can run on *anything*, that makes it and "anything running Bash" issue, including your precious Windows...

So..."Did I say both are equally vulnerable" - why yes; yes you did!

Then there was the whole "look, cmd.exe can't parse stuff either correctly" - that's also kinda along the same "lol Windows is just as bad" lines.

And we both know ShellShock is a particularly epic *nix only issue, really, even if technicaly....possibly it could be bad on Windows too....well not really. Get over it; it happens. Just this time Windows comes out on top. Your defensiveness and keenness at mitigating culpability serves only to make the issue look worse than it is, aside from being highly amusing.

Re: Hilarious

[BronsCon]

...since Bash can run on *anything*, that makes it and "anything running Bash" issue, including your precious Windows...

Well, yes, I stated the fact that anything running Bash is vulnerable; I never denied that. Where, dear sir, did I state that they were equally vulnerable? We're back to "you can't quote it because I never said it", despite what you claim.

Shellshock is a fixed issue on 'nix systems, for anyone keeping their system up to date. Well, except for OSX Yosemite beta testers, for whom an incomplete patch was released on 9-30; still vulnerable to one of seven known exploits. Windows systems that are vulnerable, no matter how few those might be (MinGW has over a half million weekly downloads, so I would still posit that the number is higher than you admit), remain vulnerable as MinGW hasn't seen an update in nearly a year and Cygwin in almost 5.

I'm not ragging on Windows here; like I said, it's a platform I make use of fairly consistently. I'm just saying, while Shellshock was a doozey of a bug, in the end it cost me maybe an hour of my life to patch well more than a handful of systems and it's done; were I running a POSIX layer on my Windows machines, however, that would not be the case; and, with over a half million weekly downloads of one of the most popular Windows POSIX layers, I'm thinking it's not safe to assume it's a non-issue for Windows servers.

Clearly, we're going to have to agree to disagree on this point, but the facts are as I've stated.

Regarding the CMD example, heres my source for that; fuck me for sharing it, right? Google "PowerShell command injection" and realize that every shell is vulnerable in one way or another; in fact, check out "PowerShell remote exploit" and realize that some of these flaws still exist in the wild.

Nothing's perfect, but I do have to stand by a system that gets patches out quickly; assuming your point about testing patches before deployment stands (and in most cases, it does; in this case, any application broken by the patch was broken to begin with), Bash users had a patch to test against within hours. Do you not test Microsoft's patches before you apply them? You know, weeks or months after the vulnerability is disclosed publicly.

at least bash will never execute variables...

[Gunstick]

...except for shellshock.
that's a bug and got fixed.
prove me wrong.
and not with the classic file '-rf' as that's not executing but just plain parameter passing (which really should get fixed to be less likely to break stuff, i.e. fix GNU getopt)