Thork

Glad I don't have a Linux thingy
« on: September 25, 2014, 03:01:12 PM »
I have a Windows PC. Derided by Apple and Linux users and being full of viruses and very vulnerable. Imagine my puzzlement when I read this.

http://www.bbc.co.uk/news/technology-29361794

Deadly Serious .... dum dum dummmmmmmb!

Us Windows people will just sit on the side lines and see how this one plays out. :)

*

Offline Lord Dave

  • *
  • Posts: 7893
  • Grumpy old man.
    • View Profile
Re: Glad I don't have a Linux thingy
« Reply #1 on: September 25, 2014, 03:09:24 PM »
Is... is that it?

Windows had had hundreds of these.  What you should be saying is "How did this vulnerability survive years without being seen even with open source?"
The conviction will get overturned on appeal.

Thork

Re: Glad I don't have a Linux thingy
« Reply #2 on: September 25, 2014, 03:11:30 PM »
Is that you Dave, or is your computer being controlled by the Chinese?

*

Offline Lord Dave

  • *
  • Posts: 7893
  • Grumpy old man.
    • View Profile
Re: Glad I don't have a Linux thingy
« Reply #3 on: September 25, 2014, 03:12:11 PM »
Is that you Dave, or is your computer being controlled by the Chinese?
Chinese?  Please.

NSA all the way.
The conviction will get overturned on appeal.

*

Offline beardo

  • *
  • Posts: 5246
    • View Profile
Re: Glad I don't have a Linux thingy
« Reply #4 on: September 25, 2014, 03:50:07 PM »
Quote
Patch immediately
No problem.
The Mastery.

Re: Glad I don't have a Linux thingy
« Reply #5 on: September 25, 2014, 06:39:44 PM »
I would actually like one of our friendly IT people that frequent tFES to better explain what this is all about.
Quote from: Saddam Hussein
I don't know what you're implying, but you're probably wrong.

*

Offline juner

  • Planar Moderator
  • *****
  • Posts: 10251
    • View Profile
Re: Glad I don't have a Linux thingy
« Reply #6 on: September 25, 2014, 09:45:05 PM »
I would actually like one of our friendly IT people that frequent tFES to better explain what this is all about.

It is a *nix command processor that is frequently installed in Unix-like computers. If you are familiar with Windows, think of the "cmd" command line (although not technically a shell). It passes commands to the system and can do all kinds of powerful things, especially with scripting. The vulnerability is that there is an exploit that allows the hax0rs to use TCP protocols to execute bash commands on the local server. Basically, they can take control of a web server on the public facing Internet, or other protocols where NAT is used to expose the server to the Internet (telnet, ssh, etc.) All kinds of nasty things can be done from there assuming they have the necessary privileges. I am not entirely sure what the exploit affords them, but you would still need to elevate the privileges unless they are logged in as root which the one thing you aren't supposed to do.

I am sure Parsifal could expand on this more. I am a Microsoft and Cisco pro, not a *nix pro.

*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 16287
  • (◕˽ ◕ ✿)
    • View Profile
Re: Glad I don't have a Linux thingy
« Reply #7 on: September 26, 2014, 05:55:05 AM »
Us Windows people will just sit on the side lines and see how this one plays out. :)
Got fixed in hours. Also was hardly serious to begin with. Another victory for freedom!

Also, I am now ultra safe:
« Last Edit: September 26, 2014, 06:00:28 AM by pizaaplanet »
Read the FAQ before asking your question - chances are we already addressed it.
Follow the Flat Earth Society on Twitter and Facebook!

If we are not speculating then we must assume

*

Offline xasop

  • Administrator
  • *****
  • Posts: 9856
  • Professional computer somebody
    • View Profile
Re: Glad I don't have a Linux thingy
« Reply #8 on: September 26, 2014, 04:13:35 PM »
I would actually like one of our friendly IT people that frequent tFES to better explain what this is all about.

It is a *nix command processor that is frequently installed in Unix-like computers. If you are familiar with Windows, think of the "cmd" command line (although not technically a shell). It passes commands to the system and can do all kinds of powerful things, especially with scripting. The vulnerability is that there is an exploit that allows the hax0rs to use TCP protocols to execute bash commands on the local server. Basically, they can take control of a web server on the public facing Internet, or other protocols where NAT is used to expose the server to the Internet (telnet, ssh, etc.) All kinds of nasty things can be done from there assuming they have the necessary privileges.

It's a little more complex than this. Since the vulnerability is in bash (a command interpreter, or shell), an attacker would need to find a way to cause a server to execute bash. Executing a shell to process a command is very commonly done in many different server applications, so it's not infeasible, but it does require a bit of work and some luck to get a successful attack.

Additionally, the vulnerability requires setting an environment variable prior to bash being executed. An environment variable is a piece of information set by a program that can be read by another program it executes. Therefore, a successful attack relies not only on a program executing bash, but also on the attacker being able to set arbitrary environment variables. Again, this isn't particularly uncommon, but it requires some effort on the part of the attacker.

There is also the fact that this bug is easier to patch than, say, the not-too-long-ago Heartbleed vulnerability in OpenSSL. The Heartbleed bug was a library bug, and libraries will be loaded once and kept in memory by an application while running, so upgrading the library is insufficient -- you also need to restart everything that uses it. By contrast, bash is an executable that is run when it is needed, typically not loaded into memory, so just upgrading bash will secure most installations.

Finally, not all Linux distributions use bash as their system shell (although it will generally be installed on all of them). Debian, the operating system this forum runs on, uses a much more lightweight shell called dash as its system shell. Unless an application specifically asks for bash, the default command interpreter will be dash, which isn't vulnerable.

So while this would be a severe problem if it were taken advantage of, it's difficult to predict whether an attack will be successful without knowing the details of the system you're attacking, which makes successful attacks unlikely. Combined with the fact that anyone who knows what they're doing has already patched this bug (at work, we patched all our servers the day this was announced), you have to both suck at maintaining your system and be rather unlucky to get popped. That said, it will become more likely the longer you wait to patch, as people find more and more ways to exploit it.

And yes, FES was patched long before I saw this thread. I may be too busy to post much during the week, but I'm never too busy to look after the place.

I am not entirely sure what the exploit affords them, but you would still need to elevate the privileges unless they are logged in as root which the one thing you aren't supposed to do.

The exploit allows them to essentially do anything the user they compromise is allowed to do. There are some applications which need to run as root, such as sshd, as well as OpenVPN in some configurations, and you don't get to choose which way the attacker gets in.

Best case scenario, they get in via a web server (you don't run your web server as root, right?) and start using sendmail to spam people, or mining Bitcoins. Worst case scenario, they manage to pop some root-requiring daemon and you get completely pwned.

It's all very circumstantial, but a well-managed server following general security best practices will stand a better chance against any vulnerability than one not managed properly.

Also, I am now ultra safe:


>2014
>not using Aptitude::CmdLine::Show-Versions
when you try to mock anyone while also running the flat earth society. Lol

*

Offline juner

  • Planar Moderator
  • *****
  • Posts: 10251
    • View Profile
Re: Glad I don't have a Linux thingy
« Reply #9 on: September 26, 2014, 05:26:51 PM »
ITT: A Linux admin and his neck beard.

Thank you for the in-depth explanation. It seems this isn't quite the world-ending catastrophe it is being made out to be... BIGGER THAN HEARTBLEED!!!!!!!!!!!!

Although, Thork does have a point. MS products are unaffected by both this issue as well as Heartbleed. My next web server will be IIS-based. Just like theflatearthsociety.me was during its short-lived tenure.

*

Offline jroa

  • *
  • Posts: 3094
  • Kentucky Gentleman
    • View Profile
Re: Glad I don't have a Linux thingy
« Reply #10 on: September 26, 2014, 07:25:23 PM »
Quote
Unix is an operating system on which many others are built, such as Linux and Mac OS.

I loled.

Re: Glad I don't have a Linux thingy
« Reply #11 on: September 26, 2014, 07:36:35 PM »
Thanks Parsifal, that was exactly the sort of thing I was looking for.
Quote from: Saddam Hussein
I don't know what you're implying, but you're probably wrong.

*

Offline markjo

  • *
  • Posts: 7997
  • Zetetic Council runner-up
    • View Profile
Re: Glad I don't have a Linux thingy
« Reply #12 on: September 26, 2014, 08:09:37 PM »
Although, Thork does have a point. MS products are unaffected by both this issue as well as Heartbleed. My next web server will be IIS-based. Just like theflatearthsociety.me was during its short-lived tenure.
As if IIS hasn't had its share of security issues.
http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3436/Microsoft-IIS.html
Abandon hope all ye who press enter here.

Science is what happens when preconception meets verification.

Ignorance more frequently begets confidence than does knowledge. -- Charles Darwin

If you can't demonstrate it, then you shouldn't believe it.

*

Offline juner

  • Planar Moderator
  • *****
  • Posts: 10251
    • View Profile
Re: Glad I don't have a Linux thingy
« Reply #13 on: September 26, 2014, 09:12:00 PM »
Although, Thork does have a point. MS products are unaffected by both this issue as well as Heartbleed. My next web server will be IIS-based. Just like theflatearthsociety.me was during its short-lived tenure.
As if IIS hasn't had its share of security issues.
http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3436/Microsoft-IIS.html

Markjo'd

*

Offline markjo

  • *
  • Posts: 7997
  • Zetetic Council runner-up
    • View Profile
Re: Glad I don't have a Linux thingy
« Reply #14 on: September 27, 2014, 07:32:13 PM »
Us Windows people will just sit on the side lines and see how this one plays out. :)
Got fixed in hours.
Are you sure about that?
Norihiro Tanaka, a Japanese open-source developer, noted the problem in an e-mail to the bug-bash list today. By using an environmental variable called cat—the same name as a Unix utility that can concatenate files—he was able to bypass the fixes in the latest bash patch and pass through executable commands.
Abandon hope all ye who press enter here.

Science is what happens when preconception meets verification.

Ignorance more frequently begets confidence than does knowledge. -- Charles Darwin

If you can't demonstrate it, then you shouldn't believe it.

*

Offline beardo

  • *
  • Posts: 5246
    • View Profile
Re: Glad I don't have a Linux thingy
« Reply #15 on: September 27, 2014, 10:01:12 PM »
never a dull moment
The Mastery.

*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 16287
  • (◕˽ ◕ ✿)
    • View Profile
Re: Glad I don't have a Linux thingy
« Reply #16 on: September 28, 2014, 03:44:49 AM »
Are you sure about that?
Norihiro Tanaka, a Japanese open-source developer, noted the problem in an e-mail to the bug-bash list today. By using an environmental variable called cat—the same name as a Unix utility that can concatenate files—he was able to bypass the fixes in the latest bash patch and pass through executable commands.
Yes, I'm quite sure that the original bug has been fixed. The fact that other bugs exist is irrelevant.

We've discovered a new category of potential bugs in shells. Yes, you're gonna see a couple of them. If you're going to think they're one and the same bug, chances are you have more serious security problems than bash.
Read the FAQ before asking your question - chances are we already addressed it.
Follow the Flat Earth Society on Twitter and Facebook!

If we are not speculating then we must assume

*

Offline Rushy

  • Planar Moderator
  • *****
  • Posts: 8868
    • View Profile
Re: Glad I don't have a Linux thingy
« Reply #17 on: September 28, 2014, 03:52:50 AM »
A new category of bugs in shells? It's not like the shell is something no one ever used, ever. I can understand one bug flying under the radar, but a whole category seems like a bit much.

*

Offline Lord Dave

  • *
  • Posts: 7893
  • Grumpy old man.
    • View Profile
Re: Glad I don't have a Linux thingy
« Reply #18 on: September 28, 2014, 04:19:12 AM »
A new category of bugs in shells? It's not like the shell is something no one ever used, ever. I can understand one bug flying under the radar, but a whole category seems like a bit much.
I think it's more like a way of penetrating shell, rather than a specific vulnerability.  Much like the first method of memory leak hacking (or whatever it's called).  It didn't stop it from occurring, just caused people to try new ways of causing it.
The conviction will get overturned on appeal.

*

Offline Pete Svarrior

  • e
  • Planar Moderator
  • *****
  • Posts: 16287
  • (◕˽ ◕ ✿)
    • View Profile
Re: Glad I don't have a Linux thingy
« Reply #19 on: September 28, 2014, 04:36:51 AM »
A new category of bugs in shells? It's not like the shell is something no one ever used, ever. I can understand one bug flying under the radar, but a whole category seems like a bit much.
No, it doesn't. This is generally how security vulnerabilities work. Someone comes up with a brand new approach that no one else thought of, and, to everyone's surprise, it turns out that no one else thought of it.
Read the FAQ before asking your question - chances are we already addressed it.
Follow the Flat Earth Society on Twitter and Facebook!

If we are not speculating then we must assume