Sorry your browser is not supported!

You are using an outdated browser that does not support modern web technologies, in order to use this site please update to a new browser.

Browsers supported include Chrome, FireFox, Safari, Opera, Internet Explorer 10+ or Microsoft Edge.

Geek Culture / Warning: Bash Exploit on Unix systems

Author
Message
BMacZero
18
Years of Service
User Offline
Joined: 30th Dec 2005
Location: E:/ NA / USA
Posted: 27th Sep 2014 08:46 Edited at: 27th Sep 2014 08:49
Link
This week a very serious exploit in bash was found. It allows an attacker to execute arbitrary bash commands on a computer by setting an environment variable to a specially formatted value. In particular, web servers using CGI store certain HTTP headers in environment variables, allowing an attacker to run arbitrary bash commands on a web server. If you run a Mac or other Unix system, especially one that acts as a web server, you should update bash as soon as possible.

Here is more information on why this happens:
http://seclists.org/oss-sec/2014/q3/650

Back to top
Profile PM Email Website
TheComet
16
Years of Service
User Offline
Joined: 18th Oct 2007
Location: I`m under ur bridge eating ur goatz.
Posted: 27th Sep 2014 14:44 Edited at: 27th Sep 2014 14:44
Link
Good thing I'm using ZSH

I like offending people. People who get offended should be offended. -- Linus Torvalds
Back to top
Profile PM Email Website
Aertic
16
Years of Service
User Offline
Joined: 2nd Jul 2007
Location: United Kingdom
Posted: 28th Sep 2014 04:44
Link
Quote: "Good thing I'm using ZSH "


I too know this feel. ZSH is glorious.
Back to top
Profile PM Email
Dar13
15
Years of Service
User Offline
Joined: 12th May 2008
Location: Microsoft VisualStudio 2010 Professional
Posted: 28th Sep 2014 06:56
Link
Most distributions should have a patch out now to fix this vulnerability. I know Fedora and Arch do at least and probably Debian as well.

Back to top
Profile PM Email
Seditious
10
Years of Service
User Offline
Joined: 2nd Aug 2013
Location: France
Posted: 28th Sep 2014 07:37 Edited at: 28th Sep 2014 07:41
Link
This is why I use closed-source software like Windows. No one can view the code and easily hack it, so it's much more secure and only professionals can edit it. Open-source like Unix means anyone can edit it and add viruses and bug's

You get what you pay for I guess. cheapskates had it coming. Notice Windows Servers don't have this problem.
Back to top
Profile PM
Dar13
15
Years of Service
User Offline
Joined: 12th May 2008
Location: Microsoft VisualStudio 2010 Professional
Posted: 28th Sep 2014 08:27
Link


Back to top
Profile PM Email
The Zoq2
14
Years of Service
User Offline
Joined: 4th Nov 2009
Location: Linköping, Sweden
Posted: 28th Sep 2014 11:07
Link
Quote: "Most distributions should have a patch out now to fix this vulnerability. I know Fedora and Arch do at least and probably Debian as well.
"


Ubuntu had a fix for it a few days ago I think which I assume means debian also has it.

Also, what Dar said

Say ONE stupid thing and it ends up as a forum signature forever. - Neuro Fuzzy
Back to top
Profile PM Email
TheComet
16
Years of Service
User Offline
Joined: 18th Oct 2007
Location: I`m under ur bridge eating ur goatz.
Posted: 28th Sep 2014 11:40
Link
Seditious is trolling

I like offending people. People who get offended should be offended. -- Linus Torvalds
Back to top
Profile PM Email Website
TheComet
16
Years of Service
User Offline
Joined: 18th Oct 2007
Location: I`m under ur bridge eating ur goatz.
Posted: 28th Sep 2014 21:21
Link
Just a heads up, if you think you don't have to worry about this bug because you're using /bin/sh and not /bin/bash, please note that /bin/sh is most likely a symlink to /bin/bash anyway.

You can test this with:



On my system you can see that /bin/sh is pointing to bash, so sh is also vulnerable.

You can test whether or not your shell is vulnerable by running this command:


I like offending people. People who get offended should be offended. -- Linus Torvalds
Back to top
Profile PM Email Website
Clonkex
Forum Vice President
13
Years of Service
User Offline
Joined: 20th May 2010
Location: Northern Tablelands, NSW, Australia
Posted: 29th Sep 2014 08:38
Link
Quote: "Just a heads up, if you think you don't have to worry about this bug because you're using /bin/sh and not /bin/bash, please note that /bin/sh is most likely a symlink to /bin/bash anyway."


Always surprised by how many symlinks Linux tends to use. And then you see Android's file system...


Placement Editor Professional -- Code Line Counter -- Tiled TMX Map Loader 2.0
Open Bezier Curve Library -- Image Tools -- MarbleX GUI Library -- NeoParticle
Back to top
Profile PM Email
TheComet
16
Years of Service
User Offline
Joined: 18th Oct 2007
Location: I`m under ur bridge eating ur goatz.
Posted: 29th Sep 2014 09:30 Edited at: 29th Sep 2014 09:31
Link
Quote: "Always surprised by how many symlinks Linux tends to use. And then you see Android's file system..."


It's not like we make symlinks all willy nilly, there's a very structured system behind it. For instance, if you have multiple versions of a shared library on your system, you will always find a symlink pointing to the active shared library:


The same goes with the python interpreter, a symlink points to the active one:


There are command line tools for changing the symlinks. If I need to switch versions of python, I would type:


This would set the symlink so it points at python3.3 instead of python2.7, so any future invocation of "python" would now start python 3.3.

I like offending people. People who get offended should be offended. -- Linus Torvalds
Back to top
Profile PM Email Website
Clonkex
Forum Vice President
13
Years of Service
User Offline
Joined: 20th May 2010
Location: Northern Tablelands, NSW, Australia
Posted: 29th Sep 2014 09:48
Link
Quote: "It's not like we make symlinks all willy nilly"


No no, of course not That's not what I meant. I just meant that Linux uses quite a few symlinks by default (AFAIK... when I think about it I'm mostly going off what I know about the Android file system which we've already determined is considerably different to Linux).

Quote: "For instance, if you have multiple versions of a shared library on your system, you will always find a symlink pointing to the active shared library:"


In Windows the more common solution is to simply point each individual project at the specific version you want. Just out of curiosity, what would you do if you had two projects both using Boost, and each was designed to work with a different version?

Quote: "There are command line tools for changing the symlinks. If I need to switch versions of python, I would type:"


There's CLI tools in Windows for this as well, but AFAIK nothing like this. This is cool. If I didn't somewhat dislike symlinks because of their confusing nature I'd be jealous *googles* Ah I see eselect is specific to Gentoo, but still... very cool


Placement Editor Professional -- Code Line Counter -- Tiled TMX Map Loader 2.0
Open Bezier Curve Library -- Image Tools -- MarbleX GUI Library -- NeoParticle
Back to top
Profile PM Email
TheComet
16
Years of Service
User Offline
Joined: 18th Oct 2007
Location: I`m under ur bridge eating ur goatz.
Posted: 29th Sep 2014 10:13 Edited at: 29th Sep 2014 10:16
Link
Quote: "Just out of curiosity, what would you do if you had two projects both using Boost, and each was designed to work with a different version?"


Then you can just link against the required version respectively. Most C++ programmers use cross platform build systems like CMake, which would look like this:



Works on Windows as well as on Linux.

I like offending people. People who get offended should be offended. -- Linus Torvalds
Back to top
Profile PM Email Website
Clonkex
Forum Vice President
13
Years of Service
User Offline
Joined: 20th May 2010
Location: Northern Tablelands, NSW, Australia
Posted: 29th Sep 2014 12:19
Link
Quote: "Then you can just link against the required version respectively. Most C++ programmers use cross platform build systems like CMake"


Oh I see


Placement Editor Professional -- Code Line Counter -- Tiled TMX Map Loader 2.0
Open Bezier Curve Library -- Image Tools -- MarbleX GUI Library -- NeoParticle
Back to top
Profile PM Email
Back to top

Login to post a reply

Server time is: 2024-04-20 13:16:20
Your offset time is: 2024-04-20 13:16:20