Bash Vulnerability

Here's a few thoughts on the recent bash vulnerabilities:
A lot of media reports have said only people calling CGI scripts with
bash are at risk, but it extends much further than that due to the way
the OS works.

When spawning a new process (e.g. to start a CGI, regardless of whether
it's a shell script) involves a system call which uses the default shell
(/bin/sh) to call the process.
On many Linux systems, /bin/sh is a symlink to /bin/bash

Therefore, to start (for example) a PHP cgi binary (for a webserver
configured with PHP as CGI, or suPHP) the OS first calls /bin/sh to call
php-cgi or php-cli

This brief call to the default shell allowed malicious environment
variables to be passed to bash which could exploit it.

FreeBSD was unaffected due to /bin/sh not being bash.
On FreeBSD, /bin/sh is a very simple shell as generally it's only ever
called to start processes.  It also has to be statically compiled so
that it may run during system recovery processes.  Static compiled
binaries are much larger than dynamic binaries.

Although OSX is based upon FreeBSD, Apple made the decision to change
the default shell to bash which meant OSX was also vulnerable to this.

Some embedded systems were also vulnerable, but most were not.
Although many embedded systems run a form of Linux (e.g. wifi routers
etc.), they tend to use busybox rather than bash as bash is very bloated
and eats into the very limited ROM space on the devices.

Some newer Linux derivatives have moved from bash to 'dash', but this
also has its own potential complications... it's a (relatively) new
shell which may or may not have as much experience as other well
established shells.  However, it does not suffer from the current bash
issues.

To date in the last month there have been 5 different patches required
for bash (for 5 different exploits), but with many others believing
there may be more ways to exploit it that are not yet discovered.

Some operating systems have patched different numbers of the exploits
depending on their own methods.
Bookmark the permalink.

Leave a Reply