Further flaws render Shellshock patch ineffective

The Shellshock vulnerability in the commonly used Bash command line interpreter shell is likely to require more patches, as security researchers continue to unearth further problems in the code.

Image via http://51sec.blogspot.co.nz/

Google security researcher Michal "lcamtuf" Zalewski has disclosed to iTnews that over the past two days he has discovered two previously unaddressed issues in the Bash function parser, one of which is as bad as the original Shellshock vulnerability.

"The first one likely permits remote code execution, but the attack would require a degree of expertise to carry out," Zalewski said.

"The second one is essentially equivalent to the original flaw, trivially allowing remote code execution even on systems that deployed the fix for the initial bug," he added.

Common vulnerabilities and exposures numbers CVE-2014-6277 and CVE-2014-6278 have been assigned to the vulnerabilties.

Zalewski has discussed the vulnerabilities with the groups that volunteer to maintain Bash and to Linux OS vendors directly involved in attempting to resolve the original Shellshock vulnerability.

"We want to give people some time to update before we share additional details," Zalewski said.

After the initial disclosure of the Shellshock bug, Zalewski and fellow security researchers Florian Weimer and Tavis Ormandy expressed concern over the continued exposure of the underlying attack surface in Bash.

The three researchers have called for a more robust approach to addressing the issue, and also found a troubling pattern of vulnerabillities in CVE-2014-7186, CVE-2014-7187 and CVE-2014-7169 that Zalewski said suggests the Bash parser may be unsafe.

There is an unofficial patch ready, Zalewski said and he recommends users apply it urgently.

"Somewhere in the middle of all this, Florian Weimer developed an unofficial patch that mitigates this and all future problems in the bash function parser by shielding it from remotely-originating data.

"As of today, this patch is already shipping with several Linux distributions, but many users will need to update manually," he added.

Zalewski has written a technical analysis of the Shellshock bugs, describing what work was undertaken to patch them and calculating the impact of the combined vulnerabilities.

He notes that Shellshock can go beyond web server common gateway interface (CGI) scripts on modern Linux systems where the /bin/sh command shell is a symbolic link to /bin/bash.

A range of web apps written in PHP, Python, C++ or Java could be vulnerable if they use calls to functions such as popen() or system(), as these are backed by calls to /bin/sh -c in turn, Zalewski notes. 

Zalewski also addressed the length of time it has taken to discover the Bash bug:

"As for the inevitable "why hasn't this been noticed for 15 years" and  "I bet the NSA knew about it" stuff - my take is that it's a very unusual bug in a very obscure feature of a program that researchers don't really look at, precisely because no reasonable person would expect it to fail this way. So, life goes on."

Meanwhile, researchers are assembling proofs of concept code that can be used to exploit Shellshock.

Rob "mubix" Fuller has started up the Shellshocker-pocs repository on Github for this purpose, and it contains exploits against PureFTPd, SIP VoIP proxies, the Qmail mail server, SSH secure shell, and dynamic host control protocol (DHCP) IP address allocation servers.