Skip to main content

Posts

Showing posts from September, 2014

ShellShock Basics - Updated Oct 1st

Update 2 - October 1st: As expected still lots going on;

As the mainstream media attempts to make sense of all the hype surrounding the latest security vulnerability, IT support staff are left to try to make sense of it all and determine what if anything needs to be done.

Background: Bash (aka Bourne-again Shell) is used as an interactive shell on most Unix-like operating systems.  It comes by default on many popular distributions such as Ubuntu, OSX, and other Linux platforms.

The bug:  One feature of the shell is to allow a user to set environment variables, unfortunately the bash shell does a poor job of interpreting these values and if the right sequence of characters is used, extra commands can be executed.
Apparently introduced in the 1980'sInitial NVD CVE - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271Followup NVD CVE (incomplete patch) - http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
Exploitation:  By simply injecting extra code that will get pa…