Content deleted Content added
mention the system(3) issue in the background section |
|||
Line 29:
The Shellshock bug affects [[Bash (Unix shell)|Bash]], a program that various [[Unix]]-based systems use to execute command lines and command scripts. It is often installed as the system's default [[command-line interface]]. Analysis of the [[source code]] history of Bash shows the bug was introduced on 5 August 1989, and released in Bash version 1.03 on 1 September 1989.<ref name="BASH105_CHANGELOG">{{cite web |last=Fox |first=Brian |title=Bash 1.05 ChangeLog |url=http://www.oldlinux.org/Linux.old/bin/old/bash-1.05/ChangeLog |date=21 March 1990 |access-date=14 October 2014}}</ref><ref name="BASHBUG-20141010-SC">{{cite web |last=Chazelas |first=Stéphane |work=Stéphane Chazelas and Chet Ramey confirm the vulnerability introduction date on Bash official communication channel |title=when was shellshock introduced |url=http://thread.gmane.org/gmane.comp.shells.bash.bugs/22418 |date=10 October 2014 |access-date=14 October 2014 |archive-url=https://web.archive.org/web/20161220033324/http://thread.gmane.org/gmane.comp.shells.bash.bugs/22418 |archive-date=20 December 2016 |url-status=dead }}</ref><ref name="Stack Exchange Thread">{{cite web |last=Chazelas |first=Stéphane |url=https://unix.stackexchange.com/questions/157381/when-was-the-shellshock-cve-2014-6271-7169-bug-introduced-and-what-is-the-pat/157495#157495 |title=When was the shellshock (CVE-2014-6271/7169) bug introduced, and what is the patch that fully fixes it? |date=25 September 2014}}</ref>
Shellshock is a [[arbitrary code execution]] vulnerability that offers a way for users of a system to execute commands that should be unavailable to them. This happens through Bash's "function export" feature, whereby one Bash [[process (computing)|process]] can share command scripts with other Bash processes that it executes.<ref>{{cite web|url=https://www.gnu.org/software/bash/manual/bash.html#Shell-Functions|title= Bash Reference Manual: Shell Functions |access-date= 2 October 2014}}</ref> This feature is implemented by encoding the scripts in a table that is shared between the processes, known as the [[environment variable]] list. Each new Bash process scans this table for encoded scripts, assembles each one into a command that defines that script in the new process, and executes that command.<ref name="exported-function">{{cite web|url= http://git.savannah.gnu.org/cgit/bash.git/tree/variables.c?id=ac50fbac377e32b98d2de396f016ea81e8ee9961#n315 |title=Bash 4.3 source code, file variables.c, lines 315-388 |access-date= 2 October 2014}}</ref> The new process assumes that the scripts found in the list come from another Bash process, but it cannot verify this, nor can it verify that the command that it has built is a properly formed script definition. Therefore, an attacker can execute arbitrary commands on the system or exploit other bugs that may exist in Bash's command interpreter, if the attacker has a way to manipulate the environment variable list and then cause Bash to run. At the time the bug was discovered, Bash was installed on [[macOS]] and many [[Linux]] operating systems as the main command interpreter, so that any program that used the <code>system</code> function to run any other program would execute Bash to do so.
The presence of the bug was announced to the public on 2014-09-24, when Bash updates with the fix were ready for distribution,<ref name="seclist-q3-666">{{cite web|url=http://seclists.org/oss-sec/2014/q3/666|title=oss-sec: Re: CVE-2014-6271: remote code execution through bash|author=Florian Weimer|work=[[Seclists.org]]|date=24 September 2014|access-date=1 November 2014}}</ref> though it took some time for computers to be updated to close the potential security issue.
Line 43:
==Specific exploitation vectors==
; CGI-based web server
: When a [[web server]] uses the [[Common Gateway Interface]] (CGI) to handle a document request, it copies certain information from the request into the environment variable list and then delegates the request to a handler program. If the handler is a Bash script, or if it executes
: Security documentation for the widely used [[Apache HTTP Server|Apache]] web server states: "CGI scripts can ... be extremely dangerous if they are not carefully checked,"<ref>{{cite web|url=http://httpd.apache.org/docs/2.2/misc/security_tips.html|title=Apache HTTP Server 2.2 Documentation: Security Tips|access-date=2 October 2014}}</ref> and other methods of handling web server requests are typically used instead. There are a number of online services which attempt to test the vulnerability against web servers exposed to the Internet.{{citation needed|date=September 2014}}
; OpenSSH server
Line 152:
|url=http://lists.opensuse.org/opensuse-security-announce/2014-09/msg00042.html |title=SUSE Security Update: Security update for bash |date=28 September 2014 |publisher=[[OpenSUSE]] |access-date= 2 November 2014
}}</ref>
The following Monday and Tuesday at the end of the month, [[
On 1 October 2014, [[Michał Zalewski]] from [[Google Inc.]] finally stated that Weimer's code and bash43-027 had fixed not only the first three bugs but even the remaining three that were published after bash43-027, including his own two discoveries.<ref name="lcamtuf-oct-1" /> This means that after the earlier distribution updates, no other updates have been required to cover all the six issues.<ref name="rh-art" />
| |||