Shellshock is the new bug doing rounds and security experts are considering it to be of the same proportion as Heartbleed. Is that the case?
Shellshock in simple terms is a shock that can be passed through Shell. A shell is a utility that helps to interact with the Systems. The particular shell that this bug targets is bash shell.
If you are a windows user, you are not at all at risk, for a change. As more and more applications are moving to web and they are mostly hosted on Linux environment, we might see this as more and more of a rule and not as an exception. But if you are a Linux or Apple user than you are at risk. A
shell is similar to a command prompt of Windows.
shell is similar to a command prompt of Windows.
So how this bug works. The bug works by allowing a hacker to run commands beyond what is allowed.It's a difficult bug to exploit as the user has to send commands via HTTP request and those request should be invoking bash shell.
A simple example of exploit is when an application exposed an input box where commands can be put and the commands are fired by bash shell on the server.
The other area to look for is if you have cgi or php scripts or some other application running on your server which are invoking commands on bash shell.
Compared to Heartbleed it's a very hard bug to exploit but the impact is very high as system commands can be run which can result in even deleting data.
How to tell if my Linux System is compromised?
Check the bash version of your system by running the following command
bash -version
I see the following
GNU bash, version 4.3.8(1)-release (x86_64-pc-linux-gnu)
Now Check at National Vulnerability database. This link tells which versions of bash are affected. So looking at list I see that my bash version is affected.
To confirm further, run the following command
env shock='() { :;}; echo Shellshock' bash -c 'echo Hello'
You will see following returned back
Shellshock
Hello
If you see the above than your bash shell is vulnerable. env is a command which runs a program in a modified environment.
Now evaluate if through any application that is running on this machine as a server program, can someone pass commands to bash shell
How to Fix the vulnerability
Check your distribution of Linux and see if they have supplied the patch. You can update your operating system using the update utilities. For example in Ubuntu you can follow the following commands
sudo apt-get update
and then
sudo apt-get install
Now if you run the following command again
env shock='() { :;}; echo Shellshock' bash -c 'echo Hello'
and it the vulnerability is fixed than you should see the following
bash: warning: shock: ignoring function definition attempt
bash: error importing function definition for `shock'
Hello
If you see above you are good, otherwise check your distribution to see if the hole has been patched.
Check the bash version of your system by running the following command
bash -version
I see the following
GNU bash, version 4.3.8(1)-release (x86_64-pc-linux-gnu)
To confirm further, run the following command
env shock='() { :;}; echo Shellshock' bash -c 'echo Hello'
You will see following returned back
Shellshock
Hello
If you see the above than your bash shell is vulnerable. env is a command which runs a program in a modified environment.
Now evaluate if through any application that is running on this machine as a server program, can someone pass commands to bash shell
How to Fix the vulnerability
Check your distribution of Linux and see if they have supplied the patch. You can update your operating system using the update utilities. For example in Ubuntu you can follow the following commands
sudo apt-get update
and then
sudo apt-get install
Now if you run the following command again
env shock='() { :;}; echo Shellshock' bash -c 'echo Hello'
and it the vulnerability is fixed than you should see the following
bash: warning: shock: ignoring function definition attempt
bash: error importing function definition for `shock'
Hello
If you see above you are good, otherwise check your distribution to see if the hole has been patched.
No comments:
Post a Comment