Shellshock

Open forum for security issues and info.
Forum rules
Any posts concerning pirated software or offering to buy/sell/trade commercial software are subject to removal.
User avatar
duck
Donor
Donor
Posts: 729
Joined: Mon Oct 27, 2003 5:22 pm
Location: Jakobstad, Finland
Contact:

Re: Shellshock

Unread postby duck » Fri Sep 26, 2014 11:23 am

VenomousPinecone wrote:Whaddya' mean? that's not what the floppy drive is for? All these years of my life spent in confusion.


French-kissing floppy drives is a thing I hadn't yet imagined, but alas it is now quite hard to forget.
:Octane: halo, octane Image knightrider, d i g i t a l AlphaPC164, pond, soekris net6501, misc cool stuff in a rack
N.B.: I tend to talk out of my ass. Do not take it too seriously.

User avatar
foetz
Moderator
Moderator
Posts: 6542
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: Shellshock

Unread postby foetz » Fri Sep 26, 2014 12:04 pm

duck wrote:
robespierre wrote:

Code: Select all

$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh


fuggeddaboutit....


On linux this will likely break things badly. Remember that these kids have been thinking that sh = bash since they first licked a beige box.

i did the same on osx but with zsh. might work for linux, too

User avatar
duck
Donor
Donor
Posts: 729
Joined: Mon Oct 27, 2003 5:22 pm
Location: Jakobstad, Finland
Contact:

Re: Shellshock

Unread postby duck » Fri Sep 26, 2014 12:11 pm

foetz wrote:
robespierre wrote:

Code: Select all

# ln -f /bin/ksh /bin/sh


i did the same on osx but with zsh. might work for linux, too


That might work better, and osx probably has less of a dependency on it wrt. system scripts.
:Octane: halo, octane Image knightrider, d i g i t a l AlphaPC164, pond, soekris net6501, misc cool stuff in a rack
N.B.: I tend to talk out of my ass. Do not take it too seriously.

User avatar
josehill
Moderator
Moderator
Posts: 3303
Joined: Mon Jun 06, 2005 9:53 pm
Location: New England, USA
Contact:

Re: Shellshock

Unread postby josehill » Fri Sep 26, 2014 12:42 pm

duck wrote:
robespierre wrote:

Code: Select all

$ sudo -s
# chmod -x /bin/bash
# ln -f /bin/ksh /bin/sh

fuggeddaboutit....

On linux this will likely break things badly. Remember that these kids have been thinking that sh = bash since they first licked a beige box.

Yeah, duck is right. I'd be cautious about about simply replacing bash with ksh as "sh" on a production machine, especially if it's a multi-user machine. If you can be sure that every script is limited to basic Bourne functions, you'll probably be okay, but ksh and bash are not 100% interchangeable. They are both supersets of sh functionality, but the extra features do not completely overlap each other, and if anything calls a unique function, the results may be quite unexpected.

There is also the problem of scripts which explicitly call /bin/bash, which is usually the "correct" thing to do if you are using superset functionality.

User avatar
jan-jaap
Donor
Donor
Posts: 4881
Joined: Thu Jun 17, 2004 11:35 am
Location: Wijchen, The Netherlands
Contact:

Re: Shellshock

Unread postby jan-jaap » Fri Sep 26, 2014 1:14 pm

Debian has 'dash' as /bin/sh, but of course /bin/bash is there so that won't save you. I just installed the third bash update in 2 days :(
:PI: :Indigo: :Indigo: :Indy: :Indy: :Indy: :Indigo2: :Indigo2: :Indigo2IMP: :Octane: :Octane2: :O2: :O2+: Image :Fuel: :Tezro: :4D70G: :Skywriter: :PWRSeries: :Crimson: :ChallengeL: :Onyx: :O200: :Onyx2: :O3x02L:
To accentuate the special identity of the IRIS 4D/70, Silicon Graphics' designers selected a new color palette. The machine's coating blends dark grey, raspberry and beige colors into a pleasing harmony. (IRIS 4D/70 Superworkstation Technical Report)

User avatar
hamei
Posts: 10433
Joined: Tue Feb 24, 2004 4:10 pm
Location: over the rainbow

Re: Shellshock

Unread postby hamei » Fri Sep 26, 2014 8:09 pm

VenomousPinecone wrote:Whaddya' mean? that's not what the floppy drive is for? All these years of my life spent in confusion.

Madame Chiang ! Madame Chiang ! Is it really true ? :P
I spent a fortune on booze, birds, and fast cars ... the rest I just squandered

User avatar
ClassicHasClass
Donor
Donor
Posts: 2072
Joined: Wed Jul 25, 2012 7:12 pm
Location: Sunny So Cal
Contact:

Re: Shellshock

Unread postby ClassicHasClass » Sat Sep 27, 2014 12:57 pm

What are you saying, VP? That the floppy makes your internal drives hard?

Thank you, I'll be here all week.
smit happens.

:Fuel: bigred, 900MHz R16K, 4GB RAM, V12 DCD, 6.5.30
:Indy: indy, 150MHz R4400SC, 256MB RAM, XL24, 6.5.10
:Indigo2IMP: purplehaze, 175MHz R10000, Solid IMPACT
probably posted from Image bruce, Quad 2.5GHz PowerPC 970MP, 16GB RAM, Mac OS X 10.4.11
plus IBM POWER6 p520 * Apple Network Server 500 * RDI PrecisionBook * BeBox * Solbourne S3000 * Commodore 128 * many more...

User avatar
josehill
Moderator
Moderator
Posts: 3303
Joined: Mon Jun 06, 2005 9:53 pm
Location: New England, USA
Contact:

Re: Shellshock

Unread postby josehill » Sat Sep 27, 2014 1:48 pm

ClassicHasClass wrote:What are you saying, VP? That the floppy makes your internal drives hard?

Thank you, I'll be here all week.

I'm tempted to issue a Moderator's Warning for corniness. :D

User avatar
ClassicHasClass
Donor
Donor
Posts: 2072
Joined: Wed Jul 25, 2012 7:12 pm
Location: Sunny So Cal
Contact:

Re: Shellshock

Unread postby ClassicHasClass » Sat Sep 27, 2014 9:13 pm

Hey, I'm just staying classy.
smit happens.

:Fuel: bigred, 900MHz R16K, 4GB RAM, V12 DCD, 6.5.30
:Indy: indy, 150MHz R4400SC, 256MB RAM, XL24, 6.5.10
:Indigo2IMP: purplehaze, 175MHz R10000, Solid IMPACT
probably posted from Image bruce, Quad 2.5GHz PowerPC 970MP, 16GB RAM, Mac OS X 10.4.11
plus IBM POWER6 p520 * Apple Network Server 500 * RDI PrecisionBook * BeBox * Solbourne S3000 * Commodore 128 * many more...

User avatar
ClassicHasClass
Donor
Donor
Posts: 2072
Joined: Wed Jul 25, 2012 7:12 pm
Location: Sunny So Cal
Contact:

Re: Shellshock

Unread postby ClassicHasClass » Mon Sep 29, 2014 10:10 am

smit happens.

:Fuel: bigred, 900MHz R16K, 4GB RAM, V12 DCD, 6.5.30
:Indy: indy, 150MHz R4400SC, 256MB RAM, XL24, 6.5.10
:Indigo2IMP: purplehaze, 175MHz R10000, Solid IMPACT
probably posted from Image bruce, Quad 2.5GHz PowerPC 970MP, 16GB RAM, Mac OS X 10.4.11
plus IBM POWER6 p520 * Apple Network Server 500 * RDI PrecisionBook * BeBox * Solbourne S3000 * Commodore 128 * many more...

User avatar
josehill
Moderator
Moderator
Posts: 3303
Joined: Mon Jun 06, 2005 9:53 pm
Location: New England, USA
Contact:

Re: Shellshock

Unread postby josehill » Mon Sep 29, 2014 10:45 am

Thanks, CHC. Much appreciated!

User avatar
jwp
Posts: 156
Joined: Sun Nov 18, 2012 7:14 pm
Location: China

"Shellshock" Bash bug

Unread postby jwp » Tue Sep 30, 2014 3:09 am

Everyone has criticized the Bourne syntax and its ambiguity for the last 30 years, and now I guess the chickens are coming home to roost. It doesn't help that Bash is more complex and adds numerous features (basically a superset of ksh88). Fortunately BSD and Debian-derived systems are mostly safe from it ("/bin/sh" is not Bash on those systems).

Updating is easy and only takes a few seconds, but it's unfortunate that it has to happen at all. I wouldn't be sad if Linux distros just replaced Bash with mksh for a standard shell (upgrade to "rc"?). Really, the features of ksh88 were always good enough. We don't need SSH host autocompletion or other stupid things. Unfortunately part of the GNU strategy in the 1980s was to extend Unix programs by adding more features so everyone would want the "super" versions. Some of their improvements were good, like removing artificial limits, and using more efficient algorithms, but adding features led to bloat.

Edsger Dijkstra wrote:How do we convince people that in programming simplicity and clarity —in short: what mathematicians call "elegance"— are not a dispensable luxury, but a crucial matter that decides between success and failure?

Edsger Dijkstra wrote:Simplicity is a great virtue but it requires hard work to achieve it and education to appreciate it. And to make matters worse: complexity sells better.

On Debian 7:

Code: Select all

$ ls -l /bin/{bash,dash,ksh93,mksh} /usr/bin/rc
-rwxr-xr-x 1 root root  975488 Sep 25 14:49 /bin/bash
-rwxr-xr-x 1 root root  106920 Mar  1  2012 /bin/dash
-rwxr-xr-x 1 root root 1489008 Jan  2  2013 /bin/ksh93
-rwxr-xr-x 1 root root  293648 Feb 15  2013 /bin/mksh
-rwxr-xr-x 1 root root   89720 Feb 24  2012 /usr/bin/rc
$ ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Mar  1  2012 /bin/sh -> dash
Debian GNU/Linux on a ThinkPad, running a simple setup with FVWM.

User avatar
Kumba
Posts: 234
Joined: Mon May 24, 2004 12:14 am
Location: Byzantine Secundus

Re: "Shellshock" Bash bug

Unread postby Kumba » Wed Oct 01, 2014 12:26 am

Ironically, I *think* NetWare 6.5 is affected, too. It comes with bash-3.0 and several other GNU/BSD utilities built as NLMs (NetWare Loadable Modules). I tested the original CVE-2014-6271 exploit on it, and it doesn't work immediately, but if you exit and reload BASH.NLM, it seems to suddenly process the environment var set and partially execute the bug. Haven't seen a patch from Novell yet to address the issue. I might go badger them just for fun...
:Onyx2: 4x R14000 :Tezro: 4x R16000 :Fuel: 1x R16000 :Octane: 2x R14000 :O2+: RM7000 :O2: R10000 :O2: RM5200 :Indigo: R4400 :Indigo2IMP: R10000 :Indigo2: R8000 :O3x0: 4x R14000 :Indy: R5000

"The past tempts us, the present confuses us, the future frightens us. And our lives slip away, moment by moment, lost in that vast, terrible in-between."
--Emperor Turhan, Centauri Republic

User avatar
ClassicHasClass
Donor
Donor
Posts: 2072
Joined: Wed Jul 25, 2012 7:12 pm
Location: Sunny So Cal
Contact:

Re: "Shellshock" Bash bug

Unread postby ClassicHasClass » Wed Oct 01, 2014 9:37 am

4.3.28 is out, and the 10.4+ universal binary is updated, which should fix all five CVEs finally.

http://tenfourfox.blogspot.com/2014/09/ ... dated.html
Last edited by josehill on Wed Oct 01, 2014 10:11 pm, edited 1 time in total.
Reason: fixed typo in link
smit happens.

:Fuel: bigred, 900MHz R16K, 4GB RAM, V12 DCD, 6.5.30
:Indy: indy, 150MHz R4400SC, 256MB RAM, XL24, 6.5.10
:Indigo2IMP: purplehaze, 175MHz R10000, Solid IMPACT
probably posted from Image bruce, Quad 2.5GHz PowerPC 970MP, 16GB RAM, Mac OS X 10.4.11
plus IBM POWER6 p520 * Apple Network Server 500 * RDI PrecisionBook * BeBox * Solbourne S3000 * Commodore 128 * many more...

User avatar
foetz
Moderator
Moderator
Posts: 6542
Joined: Mon Apr 14, 2003 4:34 am
Contact:

Re: "Shellshock" Bash bug

Unread postby foetz » Wed Oct 01, 2014 9:07 pm

a second shellshock thread now :shock:


Return to “SGI: Security”

Who is online

Users browsing this forum: No registered users and 1 guest