Shellshock Vulnerability - Bash bug

Just recently (24 September 2014) the Shellshock bug has been discovered in the Unix Bash shell which is a wide spread used shell. This is also a known bug for OS/X based systems. Especially servers reachable in the Internet could be compromised quite easily.  According to various statistics, 50% of the Internet is driven by Unix flavored systems and almost all ports like HTTP i.e. Meaning even if you do not allow access via SSH or Telnet to this server it could be compromised via HTTP and the executable interpreter underneath.

The bugs cause Bash to unintentionally execute commands when they are stored in specially crafted environment variables and compared to the SQL Slammer in 2003 (which brought the Internet down for 12 minutes) could be worse.

Robert Graham (at errata security) who has discovered the bug wrote a little test script to demonstrate the bug which convinces machines to execute the ping command.

What does the ShellShock bug could do?

An infected host (probably a web server) scans for it’s next targets (as many as he can reach) and induces them to download the exploit code and those in turn start scanning and exploiting. This could be used for a DOS (Denial Of Service) download malware or whatever the author of that script intends to do.

How can I test if my Bash shell is vulnerable or not?

You can run this simple command below which will tell you if your Bash in vulnerable or not:

env X="() { :;}; echo busted" bash -c "echo stuff"

Result: busted stuff = Bash welcomes the bug
Result: stuff = safe (for now?)

Are there patches available?

Almost all Unix flavors have a patch available which can be updated via yum, apt-get or your choice of package manager.


Leave a Reply

Your email address will not be published.