A serious security flaw has been discovered in a ubiquitous utility program present on a wide variety of important computer systems, including many Unix-based servers and Macintosh desktop computers.
“Shell shock”, as it has been dubbed, has meant another round of sleepless nights for system administrators around the world as they attempt to protect their systems, and Mac users should be wary until a fix for their systems is available.
The security flaw, discovered by Edinburgh-based programmer Stephane Chazelas, affects a software tool called Bash.
Bash – the duct tape of a Unix system
Bash is a Unix shell, or “command-line interpreter”, which is a tool that people who used a personal computer in the 1980s and early 1990s were all too familiar with, but younger computer users may never have seen directly.
Shells have a similar job to the recently reinstated Start Menu on a Windows PC – they are used to start other applications on a system. Despite the fact that most non-technical users haven’t had to use shells for many years, they are still installed on every Windows or Mac OS X computer, as well as all Linux and Unix systems.
Windows systems use their own unique shell, which is not affected by the current bug. But many (though not all) Unix-based systems, including Mac OS X, by default use Bash.
Bash (which stands for Bourne Again SHell) was first released in 1989 by programmer Brian Fox and is now distributed as free(open source) software by the GNU Project. Its design can be directly traced back to the origins of Unix in the late 1960s.
System administrators and programmers still often use shells directly, for a variety of reasons. But the security risk from the current bug primarily relates to another use of shells – as a largely invisible intermediary when one program starts another.
Starting a program may appear simple, but the process of figuring out exactly which program to execute, and providing configuration information, can actually be quite complicated.
Therefore, many systems delegate this process to the shell, rather than tackling it directly, and Bash acts as the duct tape that binds systems together. For instance, the Apache web server can use Bash in this way to invoke other programs to generate dynamic web pages.
Mishandling configuration information
The bug in Bash, present in all versions dating back at least to 1994, relates to the handling of configuration information. (A more technical summary of the bug and its consequences is available from Unix vendor Redhat.)
Bash should simply pass such configuration information to the programs it starts on either the user’s or another program’s behalf. But a maliciously formatted configuration “string” can cause Bash to do literally anything the “user” running Bash has permission to do.
When Bash was used as originally designed, by a human at a command prompt, this was no big deal. A user who could enter these configuration strings could issue the same (potentially malicious) commands at a command prompt anyway.
The problem today is that other programs, accessible via a network, pass information received from possibly malicious sources on the internet as configuration strings to Bash. Bash could then misinterpret these as commands to execute.
For instance, as previously mentioned, one way the common Unix-based Apache web server can dynamically generate web pages uses Bash in an intermediary role.
If this particular feature is enabled on a specific web server, a remote attacker could send a malicious request for a web page that causes Bash to be invoked, and the malformatted configuration information passed to Bash. Bash will then run the commands the attacker requests on the web server, giving the attacker full control over the server.
For more details, click here.
The Latest Software Testing News department was not involved in the creation of this content.