Find Your Course
Liverpool Hope Logo

Filter news by category:

print Icon print this page share this article

Expert Comment: Tech world left shell-shocked by BASH

Computer chip Monday 29 September 2014

Dr David Reid, Senior Lecturer in Computer Science, explains why the recently discovered BASH vulnerabilities should not have come as such a surprise to the tech world. 

I was in a meeting with my colleagues in the department of computer science when news broke about the BASH vulnerability now known as “shellshock”. The ramifications were immediately obvious to us all.

BASH stands for Bourne Again Shell; it is the command line interface that is embedded in most of the computer systems that run the internet, a large percentage of home computers, and in the majority of embedded devices. It has been around since the late 1980s and is generally used by system administrators, computer programmers and technical savvy people to quickly interact with the core operating system. The systems that use this are UNIX, Linux, OSX, and some dialects of Android and iOS (not Windows).

If this interaction is done at the local level there is nothing to worry about. However, a problem occurs when Internet enabled programs (called CGI scripts) are allowed to interact, either directly or indirectly, with BASH.

Two weeks ago Stephane Chazelaz (a 38-year-old software developer living in Britain), found a serious vulnerability in BASH and reported it immediately to the authorities. Hackers started exploiting the vulnerability on Thursday evening using worm viruses to attack systems.  

Last week also came news of another BASH vulnerability. If it allows the BASH to display the date then you are vulnerable. So far Apple are still working on a patch and have said most users are not vulnerable. It is clear however that they have been wrong footed by this flaw. It may be that to make systems secure, BASH itself needs to be upgraded to the latest version on vulnerable machines.

What is ironic is that software engineers have known about this type of code injection attack for a long time. I used to work developing Internet enabled software in the mid-1990s and we had teams of people checking for vulnerabilities in such CGI scripts.

The fact that these dangers have been forgotten about emphasises the fact that often the main threat to a system may not be through a highly technical exploit but be manifested through the vagaries of human psychology. BASH has been doing its thing, quietly and unobtrusively, for years.

The software industry become enamoured with shiny new interfaces and software layered on top of BASH; it was this software that was regularly tested for vulnerabilities -- not boring BASH. Quite simply, everyone forgot about BASH and assumed it was safe. The software industry looked away, until two weeks ago that is, when Stephane looked back at BASH and discovered this gaping exploit.

The exploit itself is simple. It sets an environmental variable, but runs code within it...any code...absolutely any code!

Below, I create a new environmental variable called EXPLOT, but trick the operating system to run it in the BASH shell (by using the string (){:;};).

env EXPLOIT='() {:;}; echo vulnerable' bash -c “echo you have a problem”

In this case it just prints out: “You have a problem if you have a vulnerable system and will block it by reporting an undeclared variable if your system is safe.” You can type the above in to a terminal to test your system if you want.

I won't go into the details about how to run a CGI script remotely, but security researcher Robert Graham has, and with hardly any effort, dug up at least 3,000 vulnerable systems by scanning port 80 on the root URL; he said the bug was "clearly wormable".

The positive in this is that it blows out of the water some received wisdom:

Folklore 1: Only Windows gets worms and viruses Linux and OSX is safe....

I recently tested my mac systems and found that the latest OS update (10.9.5) was secure, but the versions before this were vulnerable to the exploit.

Folklore 2: If I run windows or a patched Linux or OSX I am safe. Sorry, you are not. It could be that your router, the site you are contacting, or even a device connected to your computer runs a version of Linux. This makes any communication to them or through them insecure.

Folklore 3: You can always patch your system. Some things like routers can't be upgraded - and so will always be vulnerable.

No one knows the extent of the problem, but as 51% of the servers on the internet use UNIX type systems, it is safe to say that the problem is gigantic. Worse still, is that vendors are rushing out patches but vulnerabilities will exist for some time  - years perhaps.  

The strength of the internet, its interconnectivity, is also proving to be its greatest vulnerability; and its biggest vulnerability may yet prove to be forgetfulness; that people sometimes forget that the smallest things, the thing that has been quietly ignored for decades, can have massive consequences for everyone.

0198 Dr David Reid 

Dr David Reid teaches in the department of Mathematics and Computer Science. View his profile.

Study Computer Science at Liverpool Hope 

Study Electronic Engineering at Liverpool Hope 

 

 

 

Show more