For more than 20 years, a very serious bug in our beloved bash simply went unnoticed. What have we learned? Most versions of Linux and Unix, even Mac OS X, have been found to be affected by a very serious flaw in the Bourne Again Shell, generally known as bash. Remote code execution could have become a serious problem for so many of us — and a convenient “hole” for the hacker community — had the problem been exploited all these years. And, frankly, who is to say that it hasn’t? The indications from the field seem to be that hackers are only getting active now and that some fixes may not be effective as initially believed.While the vendors have been quick to address the problem once it was brought to ourattention, the fact that it existed for more than two decades is seriously unsettling. The gist of the problem seems to be that malicious code can be tacked onto an environment variable and, from there, have many serious consequences. Symantec has listed the following exploits (see http://www.symantec.com/en/uk/outbreak/?id=shellshock): 1. Simple “vulnerability checks” that used custom User-Agents 2. Bots using the shellshock vulnerability 3. Vulnerability checks using multiple headers 4. Using Multiple headers to install perl reverse shell ( example: shell connects to 46.246.34.82 port 1992) 5. Using User-Agent to report system parameters back 6. User-Agent used to install perl boxMost Unix providers have already addressed the problem with patches. These include RedHat, Debian, Ubuntu, CentOS, Novell/SUSE, and Apple. Maybe others as well. One simple test for vulnerability is shown below. I put this command into a script to make it easier to ship around a network. If this script comes back and reports that you’re vulnerable, you should go after your OS vendor to fix your systems ASAP. Most likely, you will simply have to grab the newest patch for bash. It should be a quick fix.#!/bin/bash env x='() { :;}; echo Server is vulnerable' bash -c "echo" The emergence of shellshock calls into question how effectively the tools we depend on are tested. How much can we really test when we don’t know what we’re looking for? Even those of us set up with sophisticated vulnerability scanners can’t detect what the scanners don’t anticipate finding.Of course, while the fact that this bug went unnoticed for more than twenty years is unsettling, it doesn’t mean the core of any Unix implementation is ripe with bugs. It just means that the testing isn’t as thorough as we’d like to believe. And maybe this discovery, as much as it has shaken us up, will also usher in an era of even more rigorous testing in the design and development phases of the products we all use — maybe even those that have been around for decades.flickr / Pascal https://creativecommons.org/licenses/by/2.0/ Related content how-to Compressing files using the zip command on Linux The zip command lets you compress files to preserve them or back them up, and you can require a password to extract the contents of a zip file. By Sandra Henry-Stocker May 13, 2024 4 mins Linux opinion NSA, FBI warn of email spoofing threat Email spoofing is acknowledged by experts as a very credible threat. By Sandra Henry-Stocker May 13, 2024 3 mins Linux how-to The logic of && and || on Linux These AND and OR equivalents can be used in scripts to determine next actions. By Sandra Henry-Stocker May 02, 2024 4 mins Linux how-to Using the apropos command on Linux By Sandra Henry-Stocker Apr 24, 2024 3 mins Linux PODCASTS VIDEOS RESOURCES EVENTS NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe