Slashdot Mirror

← Back to Stories (view on slashdot.org)

Vulnerabilities Found (and Sought) In More Command-Line Tools

Posted by timothy on from the one-thing-at-a-time dept.

itwbennett writes The critical Shellshock vulnerabilities found last month in the Bash Unix shell have motivated security researchers to search for similar flaws in old, but widely used, command-line utilities. Two remote command execution vulnerabilities were patched this week in the popular wget download agent and tnftp client for Unix-like systems [also mentioned here]. This comes after a remote code execution vulnerability was found last week in a library used by strings, objdump, readelf and other command-line tools.

30 of 87 comments (clear)

  1. great news by Anonymous Coward · · Score: 5, Interesting

    hopefully any remaining bugs will be found and we end up with better products

    1. Re:great news by jones_supa · · Score: 2

      Agreed. Quality assurance is what open source sorely needs, and I'm glad that more focus is assigned to that area.

  2. tnftp by Anonymous Coward · · Score: 5, Informative

    From one of the referenced articles:

    Tnftp is a cross-platform port of the original BSD FTP client. It is the default FTP client in NetBSD, FreeBSD, DragonFly BSD and Mac OS X, but it is also available in many Linux distributions.

    The tnftp package shipped with OpenBSD is not vulnerable due to some changes made to the code some time ago

    It's almost like the OpenBSD team knows what they're doing when it comes to security.

    1. Re:tnftp by MrBingoBoingo · · Score: 4, Insightful

      Well the difference is... reading, and reading is nothing if not for rereading. A billion, thousand, or even three eyes mean nothing if they're aimed at cat videos. Instead of reineventing every API to keep it fresh a la the GNOME model, to get actual tools you have to instead make sure what you're already working with... works.

  3. Am I paranoid? by BlackPignouf · · Score: 4, Interesting

    I don't know if I'm being paranoid, but I'm pretty sure there are backdoors in every major open source project : gcc, the linux kernel, ssh, gpg and bash to name a few.
    They've been either actively introduced by NSA/FSB/... or found and jealously kept secrets.
    It's not like recent history has proven this theory wrong. :-/

    1. Re:Am I paranoid? by Anonymous Coward · · Score: 4, Insightful

      It's not like your "theory" is falsifiable, either.

    2. Re:Am I paranoid? by MrBingoBoingo · · Score: 2

      Well the way this probably works is they submit patches to be helpful. They encourage work on certain things to distract from things they already know are vulnerable. Bash had that bad behavior at a time when some people may have lobbied for it as a feature. On the other hand you have outright turds like OpenSSL which are developed by people who jsut slap shit in and avoid starvation by consulting for the Feds. The only solution is more people reading old code.

    3. Re:Am I paranoid? by TheRaven64 · · Score: 2

      I doubt that they're inserted intentionally. If you insert an intentional backdoor, then there's a chance that it can be traced back to you. Pretty much any nontrivial program contains bugs, and if the program is written in C then a good fraction of those are exploitable. If you've got the resources to insert intentional vulnerabilities into open source code, then you've got the resources for the lower-risk strategy of auditing and fuzzing the code to finding some existing ones to exploit.

      --
      I am TheRaven on Soylent News
    4. Re:Am I paranoid? by tlhIngan · · Score: 2

      I don't know if I'm being paranoid, but I'm pretty sure there are backdoors in every major open source project : gcc, the linux kernel, ssh, gpg and bash to name a few.
      They've been either actively introduced by NSA/FSB/... or found and jealously kept secrets.
      It's not like recent history has proven this theory wrong. :-/

      Except that shellshock dates to 1989. That's when the "feature" to export functions was added to bash per commit logs. And that predates Linux 0.1 by a couple of years, so your FBI/NSA/etc would have to have extreme foresight to believe that some piece of software would suddenly be popular, aided by an unknown barely-functional OS released a couple of years later, etc., etc., etc.

      And if you're paranoid, use OpenBSD, where every line of code has been audited.

  4. Re:This is why Mac is superior! by vux984 · · Score: 2

    Ok... clearly sarcasm, and you clearly realizes Macs aren't impervious to this and making fun of people who beleive macs are immune... but I can't decide whether or not the you realize this particular vulnerability actually does affect OS X.

  5. For all the idiots by mcrbids · · Score: 5, Insightful

    ... to the masses of sarcastic "I though Open Source was more secure!" crowd: in an Open Source forum, when vulnerabilities are found, they are patched. Since it's a public forum, the vulnerabilities are disclosed, and patches / updates made available. The poor, sorry state of the first cut gets rapidly and openly improved.

    With closed source, the vulnerabilities merely stay hidden and undisclosed, and you have no ability to know about it, or fix it yourself. the poor, sorry state of the first cut never improves. Yes, there are some cultures that take security seriously. You have no way of knowing.

    This, right here, is what "more secure" looks like: public notification of the vulnerabilities and patches to distribute.

    --
    I have no problem with your religion until you decide it's reason to deprive others of the truth.
    1. Re:For all the idiots by chipschap · · Score: 4, Insightful

      Here we go again, more "proof" for the "see I told you Windows is better" crowd.

    2. Re:For all the idiots by quantaman · · Score: 2

      ... to the masses of sarcastic "I though Open Source was more secure!" crowd: in an Open Source forum, when vulnerabilities are found, they are patched. Since it's a public forum, the vulnerabilities are disclosed, and patches / updates made available. The poor, sorry state of the first cut gets rapidly and openly improved.

      With closed source, the vulnerabilities merely stay hidden and undisclosed, and you have no ability to know about it, or fix it yourself. the poor, sorry state of the first cut never improves. Yes, there are some cultures that take security seriously. You have no way of knowing.

      This, right here, is what "more secure" looks like: public notification of the vulnerabilities and patches to distribute.

      The disclosure and fixing is definitely a good thing, but the number of vulnerabilities and the ease with which people are finding them is worrying.

      I don't think that this really disproves Linus's Law, "given enough eyeballs, all bugs are shallow". More likely I suspect that the eyeballs aren't as numerous or well distributed as we think. There's a lot of tools that have been around a really long time and may not have undergone rigorous review when they were written. Even if maintainance if fairly active (the wget changelog is pretty healthy) these are decent sized code bases and there's going to be a lot of places where bugs can hide for a very long time.

      The place where propietary software companies like windows have an advantage here is they can afford to pay people to do the thankless task of auditing old code. But with Linux most contributors, be they individuals or companies, are primarily concerned with their own projects. They simply don't have the same incentive to start auditing the whole ecosystem looking for random old bugs.

      --
      I stole this Sig
    3. Re:For all the idiots by Zero__Kelvin · · Score: 2

      That is correct. In the world of the big boys we release updates on a moment by moment basis, thereby avoiding as much as a months delay for no good reason. :-)

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    4. Re:For all the idiots by Hydrated+Wombat · · Score: 3, Insightful

      I would interpret the AC as not being sarcastic. Updating on any open source operating system has been much, much easier and much more timely than any part of windows for me, but that's just my experience. Not to say that everything is easier in linux, but updates have always been timely, and it doesn't flip out and use all my ram. Bash auto-updated before the slashdot story hit my newsfeed.

    5. Re:For all the idiots by quantaman · · Score: 3, Insightful

      "But with Linux most contributors, be they individuals or companies, are primarily concerned with their own projects."

      Your definition of contributor is skewed. A FOSS contributor may do so in many ways. Clearly a project lead for a major project isn't going to contribute further by analyzing the ecosystem; their plate is full. There are others, also known as contributors, who do this. Other contributors administer project websites or write documentation. There is a whole wide array of types of contributors.

      That being said, clearly there are more developers than people doing security audits, and it would be nice to see more contribtors in all the other categories, actually.

      My definition of contributor didn't exclude non-coders. The point was that most contributors, except for a few individuals, are contributing with a specific goal or direction in mind. Implement feature X, support customer Y, make nicer docs, make a nicer build, etc. All of those tasks have a nice tangible outcome that is good for motivating people.

      Auditing old code for potential security vulnerabilities is hard work, it isn't fun, and it's unlikely to scratch a particular itch. Those kind of problems aren't a strength of the open source model.

      --
      I stole this Sig
    6. Re:For all the idiots by Zero__Kelvin · · Score: 2

      There is no old code; only old auditors :-)

      I can assure you, when I analyze any hardware/software system I don't in any manner way shape or form categorize anything, or base any decision on the age of, and subsystem.

      I doubt I'm the only competent analyst.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    7. Re:For all the idiots by Zero__Kelvin · · Score: 2

      No. I think I understnd how to interpret a commit log. If the commit was from a trusted source, ignore it. You have just narrowed down your search by at least 2 orders of magnitude. If you have a suspected commiter, scrutinize them. Commit logs go a very long way to taking your OMFG How will anyone analyze every change! to a pleasant rejoicing song of: Hey, it turns out we only have to review a very small subset!

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    8. Re:For all the idiots by quantaman · · Score: 2

      There is no old code; only old auditors :-)

      I can assure you, when I analyze any hardware/software system I don't in any manner way shape or form categorize anything, or base any decision on the age of, and subsystem.

      I doubt I'm the only competent analyst.

      I'm not saying competent analysts can find these bugs. What I'm suggesting is that they don't have a lot of motive to look and I think this story is evidence of that. If a lot of analysts were already examining Linux and all the basic tools then why the sudden flood of bugs now?

      --
      I stole this Sig
  6. Re:This is why Mac is superior! by Em+Adespoton · · Score: 2

    Ok... clearly sarcasm, and you clearly realizes Macs aren't impervious to this and making fun of people who beleive macs are immune... but I can't decide whether or not the you realize this particular vulnerability actually does affect OS X.

    Oh, he knows it affects Macs; he just said you don't read about things like this on a Mac -- the reality distortion field and all that, living on in the actual products :)

  7. Re:Summary Incorrect by Anonymous Coward · · Score: 3, Informative

    But they can write to ~/.bash_profile and equiv to add ~/.../evilbin/ to their path on next login (and ping a C&C, add an ssh key to authorized hosts, etc.)

  8. Yup by s.petry · · Score: 2

    I used to spend a ton of time doing nothing but scrutinizing source code. I used to not install things based on what I saw in the code, pretty commonly. I simply lack the time today, but wish I could make time for this. I have turned into a minimalist because I don't trust everything, which 15 years ago I thought was crazy.

    That aside, at least with OpenSource I could try and make time. The source is there for scrutiny, we just need more eyes watching for problems. Compare this to closed source (as you stated) and you can't. What you may perceive as the OS looking to download a patch could easily be that OS uploading your passwords and credit card data. In fact go ahead and run one of those closed source OSes and dump all the traffic for a perfectly idle box.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  9. Re:what happened to obscurity by Zero__Kelvin · · Score: 4, Informative

    In Open Source vernacular, we call that becoming more and more secure :-)

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  10. Re:what happened to obscurity by Zero__Kelvin · · Score: 2

    Non-sequitur much?

    --
    Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
  11. Re:what happened to obscurity by jedidiah · · Score: 2

    When there is real malware out in the wild causing millions of systems to be breached, then Linux will be "as secure as Windows". Until then, it's just ranting of trolls repeating well refuted ideas and conflating everyone else's mere bugs with actually malware.

    --
    A Pirate and a Puritan look the same on a balance sheet.
  12. Vulnerabilities Found (and Sought) In MS Windows by Mister+Liberty · · Score: 2

    Just to balance the slanted sensationalism a bit.
    And maybe I should have said: "Vulnerabilities Found (without Seeking) In MS Windows".

    .

  13. Re:Vulnerabilities Found (and Sought) In MS Window by Bite+The+Pillow · · Score: 4, Informative

    What the hell is wrong with the title exactly? Shellshock made people realize that open source should be reviewed, especially in things that haven't changed much lately.

    With that approach, they found a few problems, patched them, and continue to look for more. It's not well written, but that's expected.

    Defend.

  14. Silly by s.petry · · Score: 3, Informative

    While surely there are serious bugs that are found, shellshock is not one on my list of "serious bugs". If you would have picked a different target, I may have taken less issue with your statement. Every exploit of "shellshock" requires either A) access to the system. or B) poor system administration/development (which in essence loops back to A).

    Let's see how this is actually exploited from the same Wiki page.

    CGI-based web server
    If the request handler is a Bash script, or if it executes one for example using the system(3) call, Bash will receive the environment variables passed by the server and will process them as described above.

    OpenSSH server
    OpenSSH has a "ForceCommand" feature, where a fixed command is executed when the user logs in, instead of just running

    DHCP servers
    A malicious DHCP server could provide, in one of these options, a string crafted to execute code on a vulnerable workstation or laptop.

    QMail server
    Depending on the specific system configuration, a qmail mail server can pass external input through to Bash in a way that could exploit a vulnerable version

    I added emphasis and snipped the quotes to the relevant portions, but you can read the whole Wiki if you have doubts.

    As I stated in my opening, surely exploits exist but Shellshock was more noise than anything else. Yup it was a bug, but having it exposed to the Internet was not a Bash problem in and of itself. Shellshock was easy to avoid simply by using "Best Practices". If you are running your sites on a bunch of Bash CGI scripts, we knew that shell based CGI was a bad idea in the 90s. If you have a DHCP client attaching to unknown servers, shame on you. If you have arbitrary users with shell access to your hosts.. well, I guess it's possible that someone has this in their business model somewhere but it's surely not very common.

    We manage many tens of thousands of websites, and even with "vulnerable bash" we could not exploit the bug unless we were logged in to a host. We tried really really hard to exploit it (at least 5 days of testing since they kept releasing patches), but we follow best practices.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    1. Re:Silly by s.petry · · Score: 2

      Huh? First of all, DHCP has no authentication.

      It may not have authentication, but it can surely be secured. Not to say your point is completely invalid, but it's not something that any business should really have to worry about because the DHCP Client does not hack the DHCP server.

      Where your point has some validity is lets say a Laptop and a traveler. Going through the airport you could, if you wanted, connect to networks other than what the airport provides. So a bad guy can set up a rogue server and hotspot that you could connect to if you selected this network and told the application to connect. This should never be "automatic" and requires the user to change settings in everything I'm aware of. So let me go back and add user error to my list of reasons that shellshock was exploitable. Fair?

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  15. Re:But I thought Linux was invulnerable! by jones_supa · · Score: 3, Insightful

    All the eyes ... they do nothing! Arrrrrg.

    Linus's Law worked better back in the day when the projects were smaller, but these days most people do not have the time or inclination to go through hundreds of thousands of lines of source code. You really want to be paid for that kind of work, in other words professional code audits.