Shellshock: It Has Nothing to Do with Ninja Turtles
I’m probably starting to show my age, but when I hear the word “Shellshock,” the first thing I think of is the old Teenage Mutant Ninja Turtles cartoons. But unfortunately, the Shellshock we are talking about has nothing to do with pizza-loving reptiles, and everything to do with a gaping security hole affecting many of your Internet-connected devices. Here’s what Shellshock (a.k.a. the “Bash bug”) is all about, and why you should care:
What is it?
There are a few terms and technologies contributing to the Shellshock nickname. First up is Bash, which is a command-line interface used in Mac, Linux, and many other operating systems and devices. This interface, often referred to as accessing the “shell,” can be used to enter commands to perform various actions on a system, such as editing files, running tools, or initiating a restart or shutdown.
The heart of the Shellshock problem is that when these Bash commands are tweaked for potentially malicious purposes, really really really bad stuff can happen all across the Internet.
I don’t run Macs or Linux – so can I stop reading now?
No – please don’t! This still matters to you. You may not directly run these operating systems on the machines you use every day, but Linux is everywhere. It could be found on video cameras, routers and other devices on your home or work network, and is prevalent on thousands and thousands of Web servers scattered across the Internet.
To understand the seriousness of this issue, we have to get a little nerdy first and look at an example Bash command:
/bin/eject
This simple command, when executed on some Linux servers, will eject the CD drive. No harm done there, right?
Ok, but what if I could somehow modify that command and, from my comfy office in Waconia, use it to make a server across the Internet eject its CD drive? Wouldn’t that be cool? Well, if my target server was vulnerable to Shellshock, I could do exactly that with this command:
curl -H “User-Agent: () { :; }; /bin/eject” http://www.example.com/
Again, this looks like a bunch of gibberish, right? But when we break it down, here’s essentially what this command is doing: first, it is asking www.example.com to display its Web content, much like it would if you visited www.example.com in a Web browser. Next, as my computer and the Web site send data back and forth to complete this connection, my computer sends the characters () { :; };. And here’s the bug: the server misinterprets the /bin/eject command as something to ignore or discard, and runs it instead. Wa-lah! The CD tray pops open!
I don’t run a Web server either – why am I still reading?
In the example above I used a command which caused a Web server to eject its CD tray. Just a silly trick to show friends at parties, right? But use your imagination and think of some of the more sinister things I could do with this Shellshock vulnerability. Maybe I could figure out a way to make thousands of these severs attack your corporate network. Or I could craft a command to make the server send me sensitive information it has stored about you, such as your name, address, phone number, password, purchase history, credit card information…the possibilities are endless!
And keep in mind, this vulnerability does not require any advanced skills on my part. I do not have to steal any usernames or passwords of people who administer these servers, download any special software or take a master’s class in hacking. Nope, just a quick Google search and about 10 minutes of my time would be all I needed to start launching attacks on vulnerable servers and potentially do damage to your networks, accounts and sensitive information. And that is why you should be concerned with Shellshock.
So what can I do about it?
If you are running Macs in your environments, check the support article Apple has published about the Bash bug, and download/install the appropriate patch.
On Linux systems, you can usually do a quick Google search for the type of Linux you run and the word “Shellshock” to find articles and instructions containing a fix. For instance, I run Ubuntu, and by searching for Ubuntu Shellshock I was treated to this nice article which walks me through patching the bug.
Don’t stop here. In your home or corporate network, you need to check other devices that may be vulnerable, such as video cameras, routers and backup devices. Depending on what devices are identified as being vulnerable, head to that vendor’s Web site and search for any knowledge base articles or updates that might be available.
Conclusion
Shellshock is a big deal – some experts say even bigger than Heartbleed. But as you can see above, Shellshock is not a real simple vulnerability to explain. I have had several conversations with clients who misunderstand it as “I don’t run Macs or Linux, so I don’t need to care.” Hopefully I was able to show you that is simply not the case, and you can help your fellow friends/family/coworkers better understand the bug when the opportunity arises.
If you have any questions about Shellshock or perhaps want your network scanned for the vulnerability, we welcome the chance to talk to you. Contact us with any questions.
This article was written by guest author Brian Johnson, Information Security Analyst with our “information security” partner, FRSecure.
