Vulnerabilities Found (and Sought) In More Command-Line Tools

itwbennett writes The critical Shellshock vulnerabilities found last month in the Bash Unix shell have motivated security researchers to search for similar flaws in old, but widely used, command-line utilities. Two remote command execution vulnerabilities were patched this week in the popular wget download agent and tnftp client for Unix-like systems [also mentioned here]. This comes after a remote code execution vulnerability was found last week in a library used by strings, objdump, readelf and other command-line tools.

great news

hopefully any remaining bugs will be found and we end up with better products

Re:great news

[jones_supa]

Agreed. Quality assurance is what open source sorely needs, and I'm glad that more focus is assigned to that area.

what happened to obscurity

[ozduo]

Linux is getting too popular and too targeted!

Re:what happened to obscurity

[Zero__Kelvin]

In Open Source vernacular, we call that becoming more and more secure :-)

Re:what happened to obscurity

[Zero__Kelvin]

Non-sequitur much?

Re:what happened to obscurity

[jedidiah]

When there is real malware out in the wild causing millions of systems to be breached, then Linux will be "as secure as Windows". Until then, it's just ranting of trolls repeating well refuted ideas and conflating everyone else's mere bugs with actually malware.

Re:what happened to obscurity

[lgw]

Well, if you call patching vulnerabilities "becoming more secure", then Windows must be "Over 9000!" secure by now.

Re:what happened to obscurity

[recoiledsnake]

Most malware on Windows comes from legitimately installed programs rather than exploits. E.g. Windows RT, Windows Phone and Xbox have ~zero malware, compared to Android which has a lot of malware. It's a combination of how popular the OS is, plus if it allows non-store apps to be installed.

Re:what happened to obscurity

Windows Phone and Xbox have ~zero malware

WP store is full of scumware, proportionately far more so than the Android Play store.

Re:what happened to obscurity

These tools have nothing to do with Linux. If you run cygwin, you'll have the same issues.

Re:what happened to obscurity

[BronsCon]

Don't bother, I posted the same fact on the Shellshock threads and got smacked down for it. Let them remain blissfully ignorant.

Re:what happened to obscurity

[coolsnowmen]

Troll? I just thought it was funny. Obviously any coder knows that number of commits/patches doesn't necessarily make software better or worse...

tnftp

From one of the referenced articles:

Tnftp is a cross-platform port of the original BSD FTP client. It is the default FTP client in NetBSD, FreeBSD, DragonFly BSD and Mac OS X, but it is also available in many Linux distributions.

The tnftp package shipped with OpenBSD is not vulnerable due to some changes made to the code some time ago

It's almost like the OpenBSD team knows what they're doing when it comes to security.

Re:tnftp

[MrBingoBoingo]

Well the difference is... reading, and reading is nothing if not for rereading. A billion, thousand, or even three eyes mean nothing if they're aimed at cat videos. Instead of reineventing every API to keep it fresh a la the GNOME model, to get actual tools you have to instead make sure what you're already working with... works.

Re:tnftp

And they couldn't have posted their changes back to the upstream project because ...?

Laziness

So how many of these come down to simple laziness when the code was originally written and how many are simple a post-creation artefact caused by the host system being updated with newer technologies?

captcha:apiaries

Am I paranoid?

[BlackPignouf]

I don't know if I'm being paranoid, but I'm pretty sure there are backdoors in every major open source project : gcc, the linux kernel, ssh, gpg and bash to name a few.
They've been either actively introduced by NSA/FSB/... or found and jealously kept secrets.
It's not like recent history has proven this theory wrong. :-/

Re:Am I paranoid?

It's not like your "theory" is falsifiable, either.

Re:Am I paranoid?

[MrBingoBoingo]

Well the way this probably works is they submit patches to be helpful. They encourage work on certain things to distract from things they already know are vulnerable. Bash had that bad behavior at a time when some people may have lobbied for it as a feature. On the other hand you have outright turds like OpenSSL which are developed by people who jsut slap shit in and avoid starvation by consulting for the Feds. The only solution is more people reading old code.

Re:Am I paranoid?

[anagama]

That's annoying. If we can't prove a piece of software is backdoor free, how can we justify trusting it with important information (medical records, financial records, legal records, secret recipes, etc. etc.)?

Re:Am I paranoid?

I think the GP meant that it's not really possible to distinguish between honest security bugs and security bugs that the NSA/etc. has secretly inserted or found and not fixed.

Re:Am I paranoid?

There's no reason to risk inserting backdoors while there's still plenty of bugs to exploit. Plus, you only need to backdoor the compiler and let it compromise everything it builds. We should have moved on to better programming languages years ago, ones that were designed with security in mind (are there any?).

Re:Am I paranoid?

Well sparky, the source is available. Go ahead, read through it, and tell us where they are. Closed software is compiled and hellish to find back doors in. Open software might be hellish to read, but at least you can read it. Oh, and if you can't read it because you don't know how, at least you can hire someone to read it for you, and have it audited by all and sundry. It can be pen-tested by all and sundry too. This is how we found out about the bash bug. Its not perfect security (I've studied cryptography in university and have worked for government 3-letter agencies), there is no such thing as perfect security. I remember telling a security officer "The lockable filing cabinets look old, they don't look like they would keep anyone out for very long", and he replied "Its not about hours. First they have to get past the 6 foot high fence with the barbed wire, then the security guards with the guns (not side arms but rifles). Then they have to get past the inside security (more guards with guns and bulletproof glass). Then through the key-card elevators, then the locked solid wood doors (oh and cameras everywhere with more security at hand), and finally the oldish looking locked filing cabinets. And then out through all of that. And the whole building like a Faraday Cage. And no windows except for the frosted glass windows in the hallways with the wire over it.

Re:Am I paranoid?

[chgros]

In case you're not feeling paranoid enough yet:
Reflections on Trusting Trust

Re:Am I paranoid?

Let me write that down, barbed wire...security guards...wooden doors... thanks for publicly revealing the security plan of your company!

Re:Am I paranoid?

[TheRaven64]

I doubt that they're inserted intentionally. If you insert an intentional backdoor, then there's a chance that it can be traced back to you. Pretty much any nontrivial program contains bugs, and if the program is written in C then a good fraction of those are exploitable. If you've got the resources to insert intentional vulnerabilities into open source code, then you've got the resources for the lower-risk strategy of auditing and fuzzing the code to finding some existing ones to exploit.

Re:Am I paranoid?

[tlhIngan]

I don't know if I'm being paranoid, but I'm pretty sure there are backdoors in every major open source project : gcc, the linux kernel, ssh, gpg and bash to name a few.
They've been either actively introduced by NSA/FSB/... or found and jealously kept secrets.
It's not like recent history has proven this theory wrong. :-/

Except that shellshock dates to 1989. That's when the "feature" to export functions was added to bash per commit logs. And that predates Linux 0.1 by a couple of years, so your FBI/NSA/etc would have to have extreme foresight to believe that some piece of software would suddenly be popular, aided by an unknown barely-functional OS released a couple of years later, etc., etc., etc.

And if you're paranoid, use OpenBSD, where every line of code has been audited.

Re:This is why Mac is superior!

[vux984]

Ok... clearly sarcasm, and you clearly realizes Macs aren't impervious to this and making fun of people who beleive macs are immune... but I can't decide whether or not the you realize this particular vulnerability actually does affect OS X.

Summary Incorrect

Wget did not have two remote command execution vulnerabilities. It had one vulnerability, which allowed a malicious FTP server (but not an HTTP server) to overwrite any file the calling user could write. This is not necessarily a remote command execution vulnerability, since many users can't write to any directories in their $PATH.

Re:Summary Incorrect

But they can write to ~/.bash_profile and equiv to add ~/.../evilbin/ to their path on next login (and ping a C&C, add an ssh key to authorized hosts, etc.)

Re:Summary Incorrect

Seems like the big problem is to get someone to connect to a malicious server with wget.
It is mainly used in scripts and connects to trusted servers only.
If you can compromise the DNS server I guess you can redirect some accessed host to a malicious server but aren't there a lot neater stuff you can do then?

For all the idiots

[mcrbids]

... to the masses of sarcastic "I though Open Source was more secure!" crowd: in an Open Source forum, when vulnerabilities are found, they are patched. Since it's a public forum, the vulnerabilities are disclosed, and patches / updates made available. The poor, sorry state of the first cut gets rapidly and openly improved.

With closed source, the vulnerabilities merely stay hidden and undisclosed, and you have no ability to know about it, or fix it yourself. the poor, sorry state of the first cut never improves. Yes, there are some cultures that take security seriously. You have no way of knowing.

This, right here, is what "more secure" looks like: public notification of the vulnerabilities and patches to distribute.

Re:For all the idiots

I'm sure glad that only open source software is the only software that ever releases security updates and hotfixes in a timely and monthly manner.

Re:For all the idiots

[chipschap]

Here we go again, more "proof" for the "see I told you Windows is better" crowd.

Re:For all the idiots

[quantaman]

... to the masses of sarcastic "I though Open Source was more secure!" crowd: in an Open Source forum, when vulnerabilities are found, they are patched. Since it's a public forum, the vulnerabilities are disclosed, and patches / updates made available. The poor, sorry state of the first cut gets rapidly and openly improved.

With closed source, the vulnerabilities merely stay hidden and undisclosed, and you have no ability to know about it, or fix it yourself. the poor, sorry state of the first cut never improves. Yes, there are some cultures that take security seriously. You have no way of knowing.

This, right here, is what "more secure" looks like: public notification of the vulnerabilities and patches to distribute.

The disclosure and fixing is definitely a good thing, but the number of vulnerabilities and the ease with which people are finding them is worrying.

I don't think that this really disproves Linus's Law, "given enough eyeballs, all bugs are shallow". More likely I suspect that the eyeballs aren't as numerous or well distributed as we think. There's a lot of tools that have been around a really long time and may not have undergone rigorous review when they were written. Even if maintainance if fairly active (the wget changelog is pretty healthy) these are decent sized code bases and there's going to be a lot of places where bugs can hide for a very long time.

The place where propietary software companies like windows have an advantage here is they can afford to pay people to do the thankless task of auditing old code. But with Linux most contributors, be they individuals or companies, are primarily concerned with their own projects. They simply don't have the same incentive to start auditing the whole ecosystem looking for random old bugs.

Re:For all the idiots

[Threni]

Having said that, are we going to discover in a year or two's time, that for the last 20 years the NSA (and other bodies) have contributed code to every single open source project out there, and that no-one's actually bothered to check? (You need time, motivation, skills (if you're going to find anything that's not totally obviously written) etc)

Re:For all the idiots

[Zero__Kelvin]

That is correct. In the world of the big boys we release updates on a moment by moment basis, thereby avoiding as much as a months delay for no good reason. :-)

Re:For all the idiots

[Hydrated+Wombat]

I would interpret the AC as not being sarcastic. Updating on any open source operating system has been much, much easier and much more timely than any part of windows for me, but that's just my experience. Not to say that everything is easier in linux, but updates have always been timely, and it doesn't flip out and use all my ram. Bash auto-updated before the slashdot story hit my newsfeed.

Re:For all the idiots

[Zero__Kelvin]

"But with Linux most contributors, be they individuals or companies, are primarily concerned with their own projects."

Your definition of contributor is skewed. A FOSS contributor may do so in many ways. Clearly a project lead for a major project isn't going to contribute further by analyzing the ecosystem; their plate is full. There are others, also known as contributors, who do this. Other contributors administer project websites or write documentation. There is a whole wide array of types of contributors.

That being said, clearly there are more developers than people doing security audits, and it would be nice to see more contribtors in all the other categories, actually.

Re:For all the idiots

[Zero__Kelvin]

Somebody should invent commit logs!

Re:For all the idiots

[quantaman]

"But with Linux most contributors, be they individuals or companies, are primarily concerned with their own projects."

Your definition of contributor is skewed. A FOSS contributor may do so in many ways. Clearly a project lead for a major project isn't going to contribute further by analyzing the ecosystem; their plate is full. There are others, also known as contributors, who do this. Other contributors administer project websites or write documentation. There is a whole wide array of types of contributors.

That being said, clearly there are more developers than people doing security audits, and it would be nice to see more contribtors in all the other categories, actually.

My definition of contributor didn't exclude non-coders. The point was that most contributors, except for a few individuals, are contributing with a specific goal or direction in mind. Implement feature X, support customer Y, make nicer docs, make a nicer build, etc. All of those tasks have a nice tangible outcome that is good for motivating people.

Auditing old code for potential security vulnerabilities is hard work, it isn't fun, and it's unlikely to scratch a particular itch. Those kind of problems aren't a strength of the open source model.

Re:For all the idiots

[Zero__Kelvin]

There is no old code; only old auditors :-)

I can assure you, when I analyze any hardware/software system I don't in any manner way shape or form categorize anything, or base any decision on the age of, and subsystem.

I doubt I'm the only competent analyst.

Re:For all the idiots

[Threni]

You think they'd hide something nasty then explain what they'd done in black and white?

Re:For all the idiots

[Zero__Kelvin]

No. I think I understnd how to interpret a commit log. If the commit was from a trusted source, ignore it. You have just narrowed down your search by at least 2 orders of magnitude. If you have a suspected commiter, scrutinize them. Commit logs go a very long way to taking your OMFG How will anyone analyze every change! to a pleasant rejoicing song of: Hey, it turns out we only have to review a very small subset!

Re:For all the idiots

[quantaman]

There is no old code; only old auditors :-)

I can assure you, when I analyze any hardware/software system I don't in any manner way shape or form categorize anything, or base any decision on the age of, and subsystem.

I doubt I'm the only competent analyst.

I'm not saying competent analysts can find these bugs. What I'm suggesting is that they don't have a lot of motive to look and I think this story is evidence of that. If a lot of analysts were already examining Linux and all the basic tools then why the sudden flood of bugs now?

Re:For all the idiots

[Bite+The+Pillow]

If no one but bad guys looks for these vulnerabilities, it might as well be closed source. And given the vulnerabilities and how long they have been out there, they effectively are closed source.

And when closed source projects have vulnerabilities reported, they too get fixed, or they get disabled and people will move to a competitor. Sure there are counter examples in both arenas, but closed projects will tend to patch any exploits in the wild.

If your experience with closed source vulnerabilities is from 15 years ago, maybe you will disagree. But 15 year old experience is hardly a great argument.

Finally, there is no "more secure" because there is always the next vulnerability. Both are vulnerable, unless you rely on obscurity. You would do well to remember that one, and you might as well wait until someone makes the comment to get your panties in a bunch.

Re: For all the idiots

If the commit was from a trusted source, ignore it.

And here lies a big problem. Secret services are very good at worming into positions of trust.

Re:For all the idiots

Indeed. Right now Sony have another SQL injection problem with their site, but the gaming and tech media are keeping it quiet. News items mentioning it have appeared and then removed within a couple of hours. A little odd considering they had a massive problem in 2011 and were fined by governments, and another in 2008. All three due to the most basics of basics in web based applications of not sanitizing inputs. The latest exploit has been know for over two weeks, but you'll find very little about it. You'd think the press would want to get word out to allow PSN customer to remove their payment details from their accounts until Sony come clean. As it stands, the exploit allows customer data to be slurped. They haven't even taken it down for "maintenance" to install a quick fix.

Re:For all the idiots

[jones_supa]

... to the masses of sarcastic "I though Open Source was more secure!" crowd: in an Open Source forum, when vulnerabilities are found, they are patched. Since it's a public forum, the vulnerabilities are disclosed, and patches / updates made available. The poor, sorry state of the first cut gets rapidly and openly improved.

With closed source, the vulnerabilities merely stay hidden and undisclosed, and you have no ability to know about it, or fix it yourself. the poor, sorry state of the first cut never improves. Yes, there are some cultures that take security seriously. You have no way of knowing.

This, right here, is what "more secure" looks like: public notification of the vulnerabilities and patches to distribute.

Except when they are not fixed.

There are various serious bugs lingering on bug trackers, which have been known for a long time, but no one takes the responsibility to fix them.

For example, in addition to Heartbleed, OpenSSL had another bug which had been unfixed for 4 years and even had a CVE record in place.

Re: For all the idiots

There's not a sudden flood of bugs. There's the impression of a sudden flood of bugs, because following two severe vulnerabilities that happened to be given catchy names, any security bug in a *nix tool is deemed newsworthy.

That's not to deny the seriousness of some of these vulnerabilities; I'm just reflecting on the intersection of news values and the availability heuristic.

Re:This is why Mac is superior!

[Em+Adespoton]

Ok... clearly sarcasm, and you clearly realizes Macs aren't impervious to this and making fun of people who beleive macs are immune... but I can't decide whether or not the you realize this particular vulnerability actually does affect OS X.

Oh, he knows it affects Macs; he just said you don't read about things like this on a Mac -- the reality distortion field and all that, living on in the actual products :)

Re:This is why Mac is superior!

About eight months ago, I was searching around the internet to find out why my computer was running so slowly (it normally ran quite fast, but had gradually gotten slower over time). After a few minutes, I found a piece of software claiming that it could speed up my PC and make it run like new again. Being that I was dangerously ignorant about technology in general (even more so than I am now), I downloaded the software and began the installation. Mere moments after doing so, my desktop background image was changed and warnings that appeared to originate from Windows appeared all over the screen telling me to buy strange software from an unknown company in order to remove a virus it claimed I had.

I may have been ignorant about technology, but I wasn't that naive. I immediately concluded that the software I'd downloaded was, in fact, a virus. In my rage, I broke numerous objects, punched a hole in the wall, and cursed the world at the top of my lungs. I eventually calmed down, cleared my head, and realized that the only remedy for this problem was a carefully thought out plan. After a few moments of pondering about how to handle this situation, I decided that since I barely knew how to properly handle a computer, I should turn it over to the professionals and let them fix the issue.

Soon after making the decision, I drove to a local computer repair shop and entered the building with my computer in hand. They greeted me with a smile and stayed attentive the entire time that I was explaining the problem to them. They laughed as if they'd heard it all before, told me that I'm not the only one who has trouble operating computers, and then gave me a date for when the computer would be fixed. Not only had they told me that the computer would be completely repaired in at most two days, but the price for their services was surprisingly low, and to top it all off, they even gave me advice for how to avoid viruses in the future! I left the building feeling confident in my decision to seek professional help and satisfied knowing that such kind-hearted people were the ones doing the job.

The very next day, I received a phone call from the computer repair shop whilst I was at a local library researching computer viruses. I had stumbled upon a piece of software that appeared to be very promising, and I was about to do more research on it, but seeing as how I required my computer as soon as possible, I decided to put the matter on hold. Upon answering the phone and cheerfully greeting the person on the other end, I was greeted with a high-pitched shriek. Startled, I asked what was wrong. A few moments passed where nothing was said, and suddenly, the person on the other end said to me, in a low voice oozing with paranoia, "Come pick up your computer." They hung up immediately after saying that, and I couldn't help but notice that they sounded as if they were on the verge of tears. I briefly wondered if it was due to stress from work, and then drove to the computer repair shop to acquire my computer.

I was positively dismayed upon entering the building. The inside of the computer repair shop looked nothing like the image from my memories. There were broken computer parts scattered throughout the room, ceiling tiles all over the floor, blood splattered in every direction I looked, and even a human toe on the ground. After processing this disturbing information, I began panicking and frantically looking around for my computer. I spotted an employee covered in blood sitting up against the wall, and noticed that his wrists had been slashed open. Thinking quickly, I ran up to him, grabbed him by the collar of his shirt, shook him around, and began screaming, "Where is it!? Where is my computer!?" After a moment of silence, he passed away, completely shattering my expectations. Such a thing! "What a meaningless individual," I thought.

Enraged, I tore the building up even further than it already had been in my desperate search for my computer. Eventually I discovered a door leading to an area that was normally o

Yup

[s.petry]

I used to spend a ton of time doing nothing but scrutinizing source code. I used to not install things based on what I saw in the code, pretty commonly. I simply lack the time today, but wish I could make time for this. I have turned into a minimalist because I don't trust everything, which 15 years ago I thought was crazy.

That aside, at least with OpenSource I could try and make time. The source is there for scrutiny, we just need more eyes watching for problems. Compare this to closed source (as you stated) and you can't. What you may perceive as the OS looking to download a patch could easily be that OS uploading your passwords and credit card data. In fact go ahead and run one of those closed source OSes and dump all the traffic for a perfectly idle box.

Re: This is why Mac is superior!

[anagama]

TL:DR?

One of the more amusing trolls I've read. There's a lot nice subtle and not-so subtle humor in that thing. Well worth the read.

Shellshock.

[westlake]

... to the masses of sarcastic "I though Open Source was more secure!" crowd: in an Open Source forum, when vulnerabilities are found, they are patched.

The key words here being "when they are found."

Shellshock makes a perfect farce of the Open Source mantra "With many eyes all bugs are shallow."

Analysis of the source code history of Bash shows the [Shellshock] vulnerabilities had existed since version 1.03 of Bash released in September 1989.

25 years ago. Shellshock (software bug)

The name itself is an acronym, a pun, and a description. As an acronym, it stands for Bourne-again shell, referring to its objective as a free replacement for the Bourne shell. As a pun, it expressed that objective in a phrase that sounds similar to born again, a term for spiritual rebirth. The name is also descriptive of what it did, bashing together the features of sh, csh, and ksh.

Stallman and the Free Software Foundation (FSF) considered a free shell that could run existing sh scripts so strategic to a completely free system built from BSD and GNU code that this was one of the few projects they funded themselves.

it has been distributed widely as the shell for the GNU operating system and as a default shell on Linux and Mac OS X. It has been ported to Microsoft Windows and distributed with Cygwin and MinGW, to DOS by the DJGPP project, to Novell NetWare and to Android via various terminal emulation applications.

Bash (Unix shell)

Vulnerabilities Found (and Sought) In MS Windows

[Mister+Liberty]

Just to balance the slanted sensationalism a bit.
And maybe I should have said: "Vulnerabilities Found (without Seeking) In MS Windows".

.

Not "remote" at all for libbfd

[gweihir]

This is a local code execution vulnerability. Remove vulnerabilities do not need help to get onto the machine, that is the very point of the name.

Re:Not "remote" at all for libbfd

[craighansen]

Such as, for example, upstream developers who might sometimes use libbfd in the process of opening a crash binary submitted in a bug report - so no need to worry about remote code execution, local code execution will do just fine.

Re:Not "remote" at all for libbfd

Toolchain utilities are so complex, and have so many bugs, that it would be stupid to open such things outside of a sandbox. I never open unsolicited images or PDFs, either, from unknown sources. If I suspect it's a friendly source, I'll copy it to a file and open it in a browser, which does its own sandboxing.

Furthermore, such utilities aren't designed to handle malicious input. It's not even necessarily a bug that a utility fails to, e.g., handle multiplication overflow. In a network service that would definitely be a bug. But for something like a compiler or a debugger, it's acceptable to put limits on the range of inputs it can handle. (Obviously stupid stuff like string overflows are unacceptable, however.)

The distinction between remote and local matters. It helps us economize our limited time.

Re:Not "remote" at all for libbfd

[gweihir]

Indeed. Of course, "local exploit" + "stupidity" => "remote exploit". But that is no valid reason to call any exploit a "remote" one when it is not.

Re:But I thought Linux was invulnerable!

All the eyes ... they do nothing! Arrrrrg.

All the eyes are visibly finding bugs, that's kinda the premise of this story.

It's your own eyes that are closed.

Re:Vulnerabilities Found (and Sought) In MS Window

[Bite+The+Pillow]

What the hell is wrong with the title exactly? Shellshock made people realize that open source should be reviewed, especially in things that haven't changed much lately.

With that approach, they found a few problems, patched them, and continue to look for more. It's not well written, but that's expected.

Defend.

Silly

[s.petry]

While surely there are serious bugs that are found, shellshock is not one on my list of "serious bugs". If you would have picked a different target, I may have taken less issue with your statement. Every exploit of "shellshock" requires either A) access to the system. or B) poor system administration/development (which in essence loops back to A).

Let's see how this is actually exploited from the same Wiki page.

CGI-based web server
If the request handler is a Bash script, or if it executes one for example using the system(3) call, Bash will receive the environment variables passed by the server and will process them as described above.

OpenSSH server
OpenSSH has a "ForceCommand" feature, where a fixed command is executed when the user logs in, instead of just running

DHCP servers
A malicious DHCP server could provide, in one of these options, a string crafted to execute code on a vulnerable workstation or laptop.

QMail server
Depending on the specific system configuration, a qmail mail server can pass external input through to Bash in a way that could exploit a vulnerable version

I added emphasis and snipped the quotes to the relevant portions, but you can read the whole Wiki if you have doubts.

As I stated in my opening, surely exploits exist but Shellshock was more noise than anything else. Yup it was a bug, but having it exposed to the Internet was not a Bash problem in and of itself. Shellshock was easy to avoid simply by using "Best Practices". If you are running your sites on a bunch of Bash CGI scripts, we knew that shell based CGI was a bad idea in the 90s. If you have a DHCP client attaching to unknown servers, shame on you. If you have arbitrary users with shell access to your hosts.. well, I guess it's possible that someone has this in their business model somewhere but it's surely not very common.

We manage many tens of thousands of websites, and even with "vulnerable bash" we could not exploit the bug unless we were logged in to a host. We tried really really hard to exploit it (at least 5 days of testing since they kept releasing patches), but we follow best practices.

Re:Silly

[TheRaven64]

If you have a DHCP client attaching to unknown servers, shame on you

Huh? First of all, DHCP has no authentication. If I pop up on your trusted network and answer DHCP broadcast queries faster than the router, then your DHCP client will trust me. Second, you realise that that's how most operating systems are configured to work out of the box? Plug in network cable (or join WiFi network), send DHCP broadcast packet, trust the response.

Re:Silly

If you're able to pop a rogue DHCP server on a network, then I think the IT/Security folks have bigger problems than shellshock.

Re:Silly

[s.petry]

Huh? First of all, DHCP has no authentication.

It may not have authentication, but it can surely be secured. Not to say your point is completely invalid, but it's not something that any business should really have to worry about because the DHCP Client does not hack the DHCP server.

Where your point has some validity is lets say a Laptop and a traveler. Going through the airport you could, if you wanted, connect to networks other than what the airport provides. So a bad guy can set up a rogue server and hotspot that you could connect to if you selected this network and told the application to connect. This should never be "automatic" and requires the user to change settings in everything I'm aware of. So let me go back and add user error to my list of reasons that shellshock was exploitable. Fair?

Re:Silly

[TheRaven64]

No, because your laptop doesn't authenticate base systems either. It will try to connect to any AP that has an SSID that it recognises and (if it expects DHCP on that network, which is usually the default) send a DHCP query. And, if that AP is malicious, then you'll get the exploit code delivered to your DHCP client.

Re:Silly

[elgaard]

In for example an airport you have no way of knowing if it really is the airport that provided the network, you are using.

Even if it is a real airport network, most airport wireless networks are open and unencrypted, so anyone could run their own DHCP server on the network.

In many airport lounges you could just go to the accesspoint and move a few cables to use your own hardware router.

And why should you have to trust airport networks, or networks in cafes, trains, bars, etc?

I think it is reasonable to expect DHCP to be safe.

Re:Silly

[s.petry]

So what you are telling me is that your wifi client automatically connects to any available network automatically? Okay, but if you get hacked that is not a Bash problem. My WIFI does not connect to any random network, I have to take action to connect. Get a new WIFI client or secure what you have, problem solved.

Re:Silly

[s.petry]

You still have not demonstrated that a Client can hack a Server (and won't be able to), which as I stated means that Best Practices fixes issues for companies. If you are running DHCP, secure it! Both on the client and the server side.

People connecting to "any" Wifi they can find should have an expectation that they are going to be hacked. In fact if I own a DHCP server as a bad guy, you have more serious problems than me getting a shell on your laptop. I can MITM every connection you make so would not brute force in except as a last resort. I'd steal all your credentials and activities first..

Re:Silly

[elgaard]

Actually my client does not connect automatically.
Not that i should be a problem, except that it would keep connectiong to networks that I cannot use.

I am telling you that if I stay in a hotel, and I see a network named eg Free_Hotelname_network, then I connect to it and if it works I use it, even though for all I know that network could be running from the laptop of the guy in a room down the hall.

But I should not have care about that. It should not be necessary to trust every DHCP-server I use.

In the same way that I also visit a lot of webservers, that I do not necessarily trust. My browser should not execute insecure bash-scripts.

Re:Silly

[s.petry]

I think for the most part we agree, but I still disagree that you can't know if "Free_Hotel" WIFI is legit, since every Hotel I have been in has information in numerous places about their WIFI. Airports too, and shopping malls, etc... I could probably trap a whole mess of people in a Hotspot "Free_Airport_Porn", but anyone checking with the airport should know that this is not an Airport provided WIFI network. In fact they busted some guy just last week with a Hotspot because it had a name that included Al Quada somewhere (no charges filed), so some people do pay attention.

Re:Silly

[elgaard]

The hotels usually do print the name of their network on flyers, signs etc.
But an attacker does not have to make up fake names, he can just use the legit name.

At an airport you might see:

- Airport Net
- Airport Net
- HP_Printer.

Where "Airport Net" is the legit offices name, that the airport uses.
An attacker then names his AP also "Airport Net".

Then you see:

- Airport Net
- Airport Net
- Airport Net
- HP_Printer.

There is no way to know that one of the "Airport Net" AP's are not run by the airport.

And even worse.
If the attacker takes an AP e.g. a cafe and name it "Airport Net", there is a good chance that someone will automatically connect to it because they used an AP by that name in the airport.

Re:Silly

[s.petry]

AFAIK what you are describing is surely possible, but I'm wondering if it's illegal. "Alquada_terrorist_network" may be offensive, but not assuming the ID of anyone. Yes, possible so I stand corrected.

Re:Silly

[elgaard]

Well, if you are the third AP owner in your neighborhood that has a network name Linksys or Home Network, you should not get into trouble.

If you named you network Logan Airport because you wanted to gain access to passengers computers, you would be breakting the law in most countries.

If you named you network Logan Airport because you were curious to find out how many would connect to it, well I am not a lawyer, but I would say you were on thin ice.

The problem with faked DHCP-servers is not so much that it can take advantage of bash vulnerabilities, most clients should now be updated and not use Bash. It is worse that they can give you bad DNS-servers. That means that the attacker can then do a MITM attack on every single connection, you make. Encryption helps, but not everything is encrypted, and many user would accept a fake SSL certificate.

If you are worried about fake DHCP servers you should configure your DHCP client to use fixed DNS servers (I use http://censurfridns.dk/). You would still be vulnerable to fake accesspoints and fake DHCP-servers that also gave you a fake gateway, but not to bad DNS-servers.
Unfortunately many networks rely on using DNS to implement captive portals for login and advertizing, so you cannot do it for all networks.

Re:Silly

[TheRaven64]

You're missing the point. The vulnerability is in the client, not the server. If you connect to WiFi, then you implicitly trust the WiFi access point to route your traffic. Anything unencrypted can be compromised, but your machine should be safe. With the dhcp client vulnerability, a malicious DHCP response - which can be sent by any machine on the network, not just the WiFi access point - can get a root shell on your laptop.

Truer words were never spoken

Shellshock makes a perfect farce of the Open Source mantra "With many eyes all bugs are shallow." by westlake (615356) on Thursday October 30, 2014 @07:36PM (#48274451)

Of course you'll be downmoderated for telling the truth of things around here on slashdot for it. Yes, you can expect that since their outright bs and lies are now and have continually been exposed in the very crap it is by your words. You're no first either. I don't think the moronic Open SORES crew around here "gets it" that when you tell outrageous outright lies you'll get caught in the act (as they have been repeatedly not just in your case, but many others over time ala "Linux = Secure, Windows != Secure" type crap they spouted here for years to a decade and then some when ANDROID, of all things, shows just how "secure" Linux is once it finally got a foothold as top most used OS on another hardware platform (and they only reason it got that was it costs nothing keeping phone handset costs lower, and that only) since Android shows security issues and malware galore every day almost for nearly a decade now).

Re:But I thought Linux was invulnerable!

[jones_supa]

All the eyes ... they do nothing! Arrrrrg.

Linus's Law worked better back in the day when the projects were smaller, but these days most people do not have the time or inclination to go through hundreds of thousands of lines of source code. You really want to be paid for that kind of work, in other words professional code audits.

commandlinetools

A person should not be able to gain access to a terminal remotely to exploit local command line applications. How do they gain access to remotely execute them? I guess that is the guy with a smoking gun as they say in the western united states.

Re:But I thought Linux was invulnerable!

^ exactly
And everyone assumes someone else will call them out on mistakes or is handling security reviews, etc.

I speed everyday and never get a ticket, therefore speeding has no penalty so I keep doing it - basically.