Jump to content

Bash specially-crafted environment variables code injection attack

securitybreach

By securitybreach
in Bruno's All Things Linux

 Share

Recommended Posts

securitybreach

securitybreach

Posted
Posted

This is rather serious and should be patched right away on your distro. If you are using Archlinux and updated today, you will of gotten the patched version of bash today

 

Bash specially-crafted environment variables code injection attack

 

Bash or the Bourne again shell, is a UNIX like shell, which is perhaps one of the most installed utilities on any Linux system. From its creation in 1980, bash has evolved from a simple terminal based command interpreter to many other fancy uses.

 

In Linux, environment variables provide a way to influence the behavior of software on the system. They typically consists of a name which has a value assigned to it. The same is true of the bash shell. It is common for a lot of programs to run bash shell in the background. It is often used to provide a shell to a remote user (via ssh, telnet, for example), provide a parser for CGI scripts (Apache, etc) or even provide limited command execution support (git, etc)

 

Coming back to the topic, the vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked. The name of these crafted variables does not matter, only their contents.

https://securityblog...jection-attack/

  • Like 2
Link to comment
Share on other sites
  • Replies 75
  • Created
  • Last Reply

Top Posters In This Topic

  • securitybreach

    18

  • V.T. Eric Layton

    18

  • onederer

    8

  • mhbell

    7

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

securitybreach
securitybreach

I absolutely love zsh and I have been using it for over a year but just because you switched shells doesnt mean that your immune to the bash issue. Since most applications depend on bash, whether you

securitybreach
securitybreach

This is rather serious and should be patched right away on your distro. If you are using Archlinux and updated today, you will of gotten the patched version of bash today   https://securityblog...j

V.T. Eric Layton
V.T. Eric Layton

Something you Linux folks need to understand also... there are two types of shells: the login shell the interactive shell The login shell is the shell used by the operating system when you

Guest LilBambi

Guest LilBambi

Posted
Posted

All updated on my Raspbian.

 

Debian says it's pushed out but I have been offered it when I do apt-get update and apt-get upgrade. Still shows zero packages needing updated.

Link to comment
Share on other sites
V.T. Eric Layton

V.T. Eric Layton

Posted
Posted

Something you Linux folks need to understand also... there are two types of shells:

  • the login shell
  • the interactive shell

The login shell is the shell used by the operating system when you first login. Even if you don't physically login at a command line, your desktop graphical user interface is logging you in automatically. This shell is almost always bash in most distributions.

 

The interactive shell is the one you bring up in terminal or at the non-graphic command line as a user to manipulate directories, files, and implement commands which perform certain functions.

 

Here's the important thing to know: when you change your user shell, usually by using this command:

 

# chsh -s /bin/zsh <your username>

 

you are ONLY changing the shell from bash to zsh for your non-root user on the system. This means that the operating system's login shell and the root shell are both still bash. Be aware of this. This is why it's important to update your bash shell software on your systems regardless of the shell you're using for your user.

 

You can check to see what shell you are currently using by entering this command:

 

$ echo $0

 

Alrighty, then. Off you go. Have fun!

 

Oh, and I did play around a bit with zsh, but it's going to require some work to set it up and get my .zshrc file the way I want it. Something to tinker with during the long cold winter nights, I think.

  • Like 2
Link to comment
Share on other sites
securitybreach

securitybreach

Posted
  • Author
Posted

Is zsh susceptable to this vulnerability?

 

Even if you do not use bash, it can still be a problem as a very large majority of applications have bash as a dependency so it is still installed.

  • Like 1
Link to comment
Share on other sites
onederer

onederer

Posted
Posted

http://www.vox.com/2014/9/25/6843949/the-bash-bug-explained

 

Now that the Bash Bug is haunting our Linux/BSD world, what are you going to do??

Are you going to still keep on using BASH, and take your chances?

 

I made a decision to start using ZSH until a solution has been found for the bash thing.

Hopefully doing that, the bash bug will not come knocking at my door.

 

What are your plans about this problem?

 

Cheers!

Link to comment
Share on other sites
onederer

onederer

Posted
Posted

The last thing that I read, is that they are still trying to figure it out, and what to do about it. They say that it's worse than the Heartbleed problem. AFAIK, no solution has been put out yet. The link above, will give you a headstart to bone up on the topic.

 

Are you going to still keep on using BASH, or switch to another one, as long as this problem still exists? Even if they do find a cure, in the meantime, there are a lot of entities out there that still have to cope with this problem.

 

Cheers!

Link to comment
Share on other sites
securitybreach

securitybreach

Posted
  • Author
Posted

I absolutely love zsh and I have been using it for over a year but just because you switched shells doesnt mean that your immune to the bash issue. Since most applications depend on bash, whether you actually use it or not doesn't matter any as you still have it installed.

 

BTW this issue has already been solved so unless you are not updating your server, then there is no reason to start worrying.

  • Like 3
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...