Here's a few thoughts on the recent bash vulnerabilities: A lot of media reports have said only people calling CGI scripts with bash are at risk, but it extends much further than that due to the way the OS works. When spawning a new process (e.g. to start a CGI, regardless of whether it's a shell script) involves a system call which uses the default shell (/bin/sh) to call the process. On many Linux systems, /bin/sh is a symlink to /bin/bash Therefore, to start (for example) a PHP cgi binary (for a webserver configured with PHP as CGI, or suPHP) the OS first calls /bin/sh to call php-cgi or php-cli This brief call to the default shell allowed malicious environment variables to be passed to bash which could exploit it. FreeBSD was unaffected due to /bin/sh not being bash. On FreeBSD, /bin/sh is a very simple shell as generally it's only ever called to start processes. It also has to be statically compiled so that it may run during system recovery processes. Static compiled binaries are much larger than dynamic binaries. Although OSX is based upon FreeBSD, Apple made the decision to change the default shell to bash which meant OSX was also vulnerable to this. Some embedded systems were also vulnerable, but most were not. Although many embedded systems run a form of Linux (e.g. wifi routers etc.), they tend to use busybox rather than bash as bash is very bloated and eats into the very limited ROM space on the devices. Some newer Linux derivatives have moved from bash to 'dash', but this also has its own potential complications... it's a (relatively) new shell which may or may not have as much experience as other well established shells. However, it does not suffer from the current bash issues. To date in the last month there have been 5 different patches required for bash (for 5 different exploits), but with many others believing there may be more ways to exploit it that are not yet discovered. Some operating systems have patched different numbers of the exploits depending on their own methods.
Bash Vulnerability
Bookmark the permalink.