Wikipedia

Shellshock (software bug): Difference between revisions

Browse history interactively
← Previous editNext edit →
Content deleted Content added
VisualWikitext
Rescuing 1 sources and tagging 0 as dead.) #IABot (v2.0) (Smasongarrison - 5519
No edit summary
Line 18:
'''Shellshock''', also known as '''Bashdoor''',<ref name="NYT-20140925-NP">{{cite news |last=Perlroth |first=Nicole |title=Security Experts Expect 'Shellshock' Software Bug in Bash to Be Significant |url=https://www.nytimes.com/2014/09/26/technology/security-experts-expect-shellshock-software-bug-to-be-significant.html |date=25 September 2014 |work=[[New York Times]] |accessdate=25 September 2014 }}</ref> is a family of [[security bug]]s<ref name="TSM-20140927">Although described in some sources as a "virus," Shellshock is instead a design flaw in a program that comes with some operating systems. See => {{cite web |author=Staff |title=What does the "Shellshock" bug affect? |url= http://www.thesafemac.com/what-does-the-shellshock-bug-affect/|date=25 September 2014 |work=The Safe Mac |accessdate=27 September 2014 }}</ref> in the [[Unix]] [[Bash (Unix shell)|Bash]] [[shell (computing)|shell]], the first of which was disclosed on 24 September 2014. Shellshock could enable an attacker to cause Bash to [[arbitrary code execution|execute arbitrary command]]s and gain unauthorized access<ref name="ZDN-20140929">{{cite web |last=Seltzer |first=Larry |title=Shellshock makes Heartbleed look insignificant |url=http://www.zdnet.com/shellshock-makes-heartbleed-look-insignificant-7000034143/ |date=29 September 2014 |work=[[ZDNet]] |accessdate=29 September 2014 }}</ref> to many Internet-facing services, such as web servers, that use Bash to process requests.
 
On 12 September 2014, Stéphane Chazelas informed Bash's maintainer Chet Ramey <ref name="NYT-20140925-NP" /> of his discovery of the original bug, which he called "Bashdoor". Working with security experts, he developed [[Patch (computing)|a patch]]<ref name="NYT-20140925-NP" /> (fix) for the issue, which by then had been assigned the vulnerability identifier ''{{CVE|2014-6271}}''.<ref name="seclist-q3-650">{{cite web|url=http://seclists.org/oss-sec/2014/q3/650|title=oss-sec: Re: CVE-2014-6271: remote code execution through bash|publisher=|author=Florian Weimer|work=[[Seclists.org]]|date=24 September 2014|accessdate=1 November 2014}}</ref> The existence of the bug was announced to the public on {{date|2014-09-24}}, when Bash updates with the fix were ready for distribution.<ref name="seclist-q3-666">{{cite web|url=http://seclists.org/oss-sec/2014/q3/666|title=oss-sec: Re: CVE-2014-6271: remote code execution through bash|publisher=|author=Florian Weimer|work=[[Seclists.org]]|date=24 September 2014|accessdate=1 November 2014}}</ref>
 
The bug Chazelas discovered caused Bash to unintentionally execute commands when the commands are concatenated to the end of [[subroutine|function definitions]] stored in the values of [[environment variable]]s.<ref name="NYT-20140925-NP" /><ref name="TR-20140924">{{cite web |last=Leyden |first=John |title=Patch Bash NOW: 'Shell Shock' bug blasts OS X, Linux systems wide open |url=https://www.theregister.co.uk/2014/09/24/bash_shell_vuln/ |work=[[The Register]] |date=24 September 2014 |accessdate=25 September 2014}}</ref> Within days of its publication, a variety of related vulnerabilities were discovered (''{{CVE|2014-6277|2014-6278|2014-7169|2014-7186|2014-7187|leadout=and}}''). Ramey addressed these with a series of further patches.<ref name="ITN-20140929"/><ref name="zdnet-betterbash"/>
 
Attackers exploited Shellshock within hours of the initial disclosure by creating [[botnet]]s of compromised computers to perform [[Denial-of-service attack#Distributed attack|distributed denial-of-service attacks]] and [[vulnerability scanner|vulnerability scanning]].<ref name="Wired" /><ref name="IT-20140926-JS" /> Security companies recorded millions of attacks and probes related to the bug in the days following the disclosure.<ref name="NYT-20140926-NP" /><ref name="businessweek" />
 
Because of the potential to compromise millions of unpatched systems, Shellshock was compared to the [[Heartbleed]] bug in its severity.<ref name="ZDN-20140929" /><ref name="mit-tech">{{cite web |last1=Cerrudo |first1=Cesar |title=Why the Shellshock Bug Is Worse than Heartbleed |url=http://www.technologyreview.com/view/531286/why-the-shellshock-bug-is-worse-than-heartbleed/|date=30 September 2014 |website=[[MIT Technology Review]] |accessdate=1 October 2014 }}</ref>
 
==Background==
The Shellshock bug affects [[Bash (Unix shell)|Bash]], a program that various [[Unix]]-based systems use to execute command lines and command scripts. It is often installed as the system's default [[command-line interface]]. Analysis of the [[source code]] history of Bash shows the bug was introduced on August 5, 1989, and released in Bash version 1.03 on September 1, 1989.<ref name="BASH105_CHANGELOG">{{cite web |last=Fox |first=Brian |title=Bash 1.05 ChangeLog |url=http://www.oldlinux.org/Linux.old/bin/old/bash-1.05/ChangeLog |date=21 March 1990 |accessdate=14 October 2014}}</ref><ref name="BASHBUG-20141010-SC">{{cite web |last=Chazelas |first=Stéphane |work=Stéphane Chazelas and Chet Ramey confirm the vulnerability introduction date on Bash official communication channel |title=when was shellshock introduced |url=http://thread.gmane.org/gmane.comp.shells.bash.bugs/22418 |date=10 October 2014 |accessdate=14 October 2014 |archive-url=https://web.archive.org/web/20161220033324/http://thread.gmane.org/gmane.comp.shells.bash.bugs/22418 |archive-date=20 December 2016 |url-status=dead }}</ref><ref name="Stack Exchange Thread">{{cite web |last=Chazelas |first=Stéphane |url=https://unix.stackexchange.com/questions/157381/when-was-the-shellshock-cve-2014-6271-7169-bug-introduced-and-what-is-the-pat/157495#157495 |date=25 September 2014}}</ref>
 
Shellshock is a [[privilege escalation]] vulnerability whichthat offers a way for users of a system to execute commands that should be unavailable to them. This happens through Bash's "function export" feature, whereby command scripts created in one running instance of Bash can be shared with subordinate instances.<ref>{{cite web|url=https://www.gnu.org/software/bash/manual/bash.html#Shell-Functions|title= Bash Reference Manual: Shell Functions |accessdate= 2 October 2014}}</ref> This feature is implemented by encoding the scripts within a table that is shared between the instances, known as the [[environment variable]] list. Each new instance of Bash scans this table for encoded scripts, assembles each one into a command that defines that script in the new instance, and executes that command.<ref name="exported-function">{{cite web|url= http://git.savannah.gnu.org/cgit/bash.git/tree/variables.c?id=ac50fbac377e32b98d2de396f016ea81e8ee9961#n315 |title=Bash 4.3 source code, file variables.c, lines 315-388 |accessdate= 2 October 2014}}</ref> The new instance assumes that the scripts found in the list come from another instance, but it cannot verify this, nor can it verify that the command that it has built is a properly formed script definition. Therefore, an attacker can execute arbitrary commands on the system or exploit other bugs that may exist in Bash's command interpreter, if the attacker has a way to manipulate the environment variable list and then cause Bash to run.
 
The presence of the bug was announced to the public on {{date|2014-09-24}}, when Bash updates with the fix were ready for distribution,<ref name="seclist-q3-666">{{cite web|url=http://seclists.org/oss-sec/2014/q3/666|title=oss-sec: Re: CVE-2014-6271: remote code execution through bash|publisher=|author=Florian Weimer|work=[[Seclists.org]]|date=24 September 2014|accessdate=1 November 2014}}</ref> though it took some time for computers to be updated to close the potential security issue.
Line 70:
 
===CVE-2014-6277 ===
Discovered by [[Michał Zalewski]].,<ref name="ITN-20140929" /><ref name="HH-20140928" /><ref name="NIST-20140927">{{cite web |author=Staff |title=National Cyber Awareness System Vulnerability Summary for CVE-2014-6277 |url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6277 |date=27 September 2014 |work=[[National Institute of Standards and Technology]] |accessdate=28 September 2014 }}</ref> this vulnerability, which relates to the parsing of function definitions in environment variables by Bash, and can cause a [[Segmentation fault|segfault]].<ref name="PCW-20140929">{{cite web |last1=Constatin |first1=Lucian |title=Improved patch tackles new Shellshock Bash bug attack vectors |url=http://www.pcworld.com/article/2688932/improved-patch-tackles-new-shellshock-attack-vectors.html |date=29 September 2014 |website=[[PC World]] |accessdate=1 October 2014 }}</ref>
 
===CVE-2014-6278===
Also discovered by [[Michał Zalewski]].,<ref name="PCW-20140929" /><ref>{{cite web |author=Staff |title=National Cyber Awareness System Vulnerability Summary for CVE-2014-6278 |url=https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278 |date=30 September 2014 |work=[[National Institute of Standards and Technology]] |accessdate=1 October 2014 }}</ref> this bug relates to the parsing of function definitions in environment variables by Bash.
 
===CVE-2014-7169===
On the same day the original vulnerability was published, Tavis Ormandy discovered this related bug,<ref name="qualys" /> which is
demonstrated in the following code:
 
Line 83:
</source>
 
On a vulnerable system, this would execute the command "date" unintentionally.<ref name="qualys" />
 
Here is an example of a system that has a patch for CVE-2014-6271 but not CVE-2014-7169:
Retrieved from "https://en.wikipedia.org/wiki/Shellshock_(software_bug)"