# The Good, the Bash & the Ugly: "Shellshock" Bug



## tmp (Sep 26, 2014)

I searched on the forums to make sure no one had posted this beforehand, as this is a rather alarming story making the rounds of news circuits.
Source: New York Times Security Experts Expect ‘Shellshock’ Software Bug in Bash to Be Significant

From the US National Institute of Standards and Technology's Vulnerability Database
(Emphasis added):


> GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, *which allows remote attackers to execute arbitrary code* via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.


----------



## scottro (Sep 26, 2014)

The FreeBSD port has already been updated.  When I last looked (this morning) the package was still at a vulnerable version.  (Although if one has multiple machines, one can install the port on one machine, and then make a package from the port.)


----------



## tmp (Sep 26, 2014)

scottro said:
			
		

> The FreeBSD port has already been updated.  When I last looked (this morning) the package was still at a vulnerable version.  (Although if one has multiple machines, one can install the port on one machine, and then make a package from the port.)



I'm doubly glad to hear that. This story broke right after I migrated my multimedia production desktop over from Debian GNU/Linux to FreeBSD so I was worried that that I was "out of the frying pan, into the fire."


----------



## scottro (Sep 26, 2014)

Did you install the bash shell?  (I was going to give it a ports tag, but to do that, one has to do shell/bash, and shells/bash shell seems to be an awkward sentence.  Hrrm, shells/bash shell--yeah, let's leave it with a file, rather than ports, tag.)
If not then, at least as far as I know, you shouldn't be affected.  

If you did install it, then as I said, you can upgrade the port.  If you have multiple machines you can then build a package with `pkg create bash` and then install it on your other systems with `pkg install bash-<name-of-file>` (-4.3.25.txz, I think).


----------



## Oko (Sep 26, 2014)

scottro said:
			
		

> The FreeBSD port has already been updated.  When I last looked (this morning) the package was still at a vulnerable version.  (Although if one has multiple machines, one can install the port on one machine, and then make a package from the port.)


I am just curios why people use bash on any BSDs to begin with? I will honestly confess that I have bash installed on some OpenBSD shell gateways because most people use bash as a default home shell and I didn't want to force them to use ksh but I do not have Bash on any of the key network machines (running OpenBSD) or file servers (mostly FreeNAS and some DragonFly) in my lab.


----------



## tmp (Sep 26, 2014)

scottro said:
			
		

> Did you install the bash shell?  (I was going to give it a ports tag, but to do that, one has to do shell/bash, and shells/bash shell seems to be an awkward sentence.  Hrrm, shells/bash shell--yeah, let's leave it with a file, rather than ports, tag.)
> If not then, at least as far as I know, you shouldn't be affected.
> 
> If you did install it, then as I said, you can upgrade the port.  If you have multiple machines you can then build a package with `pkg create bash` and then install it on your other systems with `pkg install bash-<name-of-file>` (-4.3.25.txz, I think).



I haven't installed it; I was going to until I found out about this bug. I'm willing to learn and embrace (what are for me) new things from the FreeBSD side of computing but I still like some of my Free Software tools from Debian GNU/Linux (e.g. Bash, gcc*, GNU Emacs**).

----------------
* I have compiled that separately from ports using information found in the Handbook.
** I prefer Emacs enough to own an autographed copy of the sixteenth edition of the manual.


----------



## zspider (Sep 26, 2014)

Had it installed because somethings like the minecraft-client won't work without it, but I removed it upon hearing about the vulnerability.


----------



## SirDice (Sep 26, 2014)

Oko said:
			
		

> I am just curios why people use bash on any BSDs to begin with?


You may not actively use it but if I remember correctly it does get pulled in when installing Gnome. A few other ports seem to depend on it as well.


----------



## AzaShog (Sep 26, 2014)

I don't get it what's the fuss about this one. It's "just" another arbitrary code execution security hole. It's a very dangerous thing, don't get me wrong, but it's also something happening every now and then with various software in form of various buffer overflows, heap overflows, unsanitized inputs, but especially (and far more malicious) badly written Wordpress plugins (or Joomla, or NameYourPHPSoftware) that allow any executable be uploaded and executed, etc... At least for this you need  a specific set of circumstances to cause remote mayhem - eg. a SECONDARY vulnerability that allows you to deliver a malicious payload to bash... that's not easy to do. Sure, you'll find a ton of servers with long forgotten CGI scripts allowing that, but you'll also find even greater number of above mentioned unpatched Wordpress installations...

It's business as usual for server administrators.


----------



## SirDice (Sep 26, 2014)

AzaShog said:
			
		

> It's business as usual for server administrators.


What I find funny is one of our customers calling in more or less a state of panic, asking us to update bash a.s.a.p. It's funny because that same server is running PHP 5.2, which went EoL 6 years ago  :OOO

Some people have really screwed up priorities.


----------



## AzaShog (Sep 26, 2014)

getopt said:
			
		

> Enlightened by these cool words we will sleep better in future. Without your prayer we would not have known.



Wow, *gasp*! I'm touched!

But really, I was talking about the media coverage. And like @SirDice said, we also got clients calling and asking what it was, but our clients are "regular users" with mostly Windows systems on their machines, because the non-tech media covered it too and created panic.


----------



## AzaShog (Sep 26, 2014)

getopt said:
			
		

> What's wrong about that?



Well, to begin with, the non-tech news is (as usual) full of falsehoods, which is pretty dangerous when you serve it to non-technical people because they read about it in their Daily Whatever and believe what they read. Want an example?

The Register, http://www.theregister.co.uk/2014/09/24 ... hell_vuln/ :



> Ubuntu and other Debian-derived systems that use Dash exclusively are not at risk – Dash isn't vulnerable, but busted versions of Bash may well be present on the systems anyway.



Just.... LOL.

Second, it created a sense of panic, not only in sysadmins (for which it is business at usual as I said), but in regular users too. Which is not good if you get swamped in support requests over something that is a non-issue for them, and you have hard time explaining "_No, ma'am, there's no Bash in your Windows 8_". Third, again what is so special about this vuln? Arbitrary Code Executions, Buffer overflows, Heap overflows, Blatant Any Executable Uploads in Wordpress, all of that happens every few weeks / months and it doesn't beget cutesy headline selling names (Heartbleed, Shellshock...) and it doesn't get covered by The Daily Whatever.


*Edit:* Since this is a FreeBSD forum, in case the dash quote above is not clear... on Debian systems /bin/sh is a symlink to /bin/dash. Bash is very much present and default for any newly created account and the quote is seriously, blatant, flat out wrong and carrying a very much false bit of info that Debian and Co. are not vulnerable...


----------



## Carpetsmoker (Sep 26, 2014)

From the tcsh maillinglist:



> {T,}csh had a similar bug in the 80's when:
> 
> env TERM='`rm -fr *`' csh
> 
> ...


----------



## ChalkBored (Sep 27, 2014)

SirDice said:
			
		

> AzaShog said:
> 
> 
> 
> ...



It's because memetics and a catchy name are more important than the actual threat level. You can thank Heartbleed for starting that trend.


----------

