Weaponized Bash | Linux Action Show 332

The Shellshock bug is taking the internet by storm, Fedora project lead Matthew Miller joins us to discuss how this Bash bug works, how big of a problem it really is, and how large projects are responding to the issue. Plus we chat a little Fedora.next and more!

Then it’s our look at what’s great in Gnome 3.14, Ubuntu 14.10 & another systemd alternative that’s doing it right.

Thanks to:

Download:

RSS Feeds:

Become a supporter on Patreon:

— Show Notes: —

Shellshock with Matthew Miller – FedoraProject

Brought to you by: System76

Shellshock BASH Vulnerability Tester

Shellshock (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187) is a vulnerability in GNU’s bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in the last 24 hours (See patch history), you’re most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.

Shellshock: How does it actually work? | Fedora Magazine

And there’s quite a lot of other little cleanups in there too — security people at Fedora, at Red Hat, and around the world sure have been busy for the couple of days. Thanks to all of you for your hard work, and to Fedora’s awesome QA and Release Engineering teams, who sprung into action to make sure that these updates got to you quickly and safely.

Still more vulnerabilities in bash? Shellshock becomes whack-a-mole | Ars Technica

Here’s how the Shellshock vulnerability works, in a nutshell: an attacker sends a request to a Web server (or Git, a DHCP client, or anything else affected) that uses bash internally to interact with the operating system. This request includes data stored in an environmental variable. Environmental variables are like a clipboard for operating systems, storing information used to help it and software running on it know where to look for certain files or what configuration to start with. But in this case, the data is malformed so as to trick bash into treating it as a command, and that command is executed as part of what would normally be a benign set of script. This ability to trick bash is the shellshock bug. As a result, the attacker can run programs with the same level of access as the part of the system launching a bash shell.

Shellshock just ‘a blip’ says Richard Stallman as Bash bug attacks increase | Technology

GNU Project founder: ‘Any program can have a bug. But a proprietary program is likely to have intentional bugs’

The bash vulnerability and Docker containers | Colin Walters

In a previous post about Docker, I happened to randomly pick bash as a package shared between the host and containers. I had thought of it as a relatively innocent package, but the choice turned out to be prescient. The bash vulnerability announced today shows just how important even those apparently innocent packages can be.

shellshock – What does env x='() { :;}; command’ bash do and why is it insecure? – Unix & Linux Stack Exchange

bash stores exported function definitions as environment variables. Exported functions look like this:

$ foo() { bar; }
$ export -f foo
$ env | grep -A1 foo
foo=() {  bar
}

That is, the environment variable foo has the literal contents:

() {  bar
}

When a new instance of bash launches, it looks for these specially crafted environment variables, and interprets them as function definitions. You can even write one yourself, and see that it still works:

$ export foo='() { echo "Inside function"; }'
$ bash -c 'foo'
Inside function

Unfortunately, the parsing of function definitions from strings (the environment variables) can have wider effects than intended. In unpatched versions, it also interprets arbitrary commands that occur after the termination of the function definition. This is due to insufficient constraints in the determination of acceptable function-like strings in the environment. For example:

$ export foo='() { echo "Inside function" ; }; echo "Executed echo"'
$ bash -c 'foo'
Executed echo
Inside function

Note that the echo outside the function definition has been unexpectedly executed during bash startup. The function definition is just a step to get the evaluation and exploit to happen, the function definition itself and the environment variable used are arbitrary. The shell looks at the environment variables, sees foo, which looks like it meets the constraints it knows about what a function definition looks like, and it evaluates the line, unintentionally also executing the echo (which could be any command, malicious or not).

This is considered insecure because variables are not typically allowed or expected, by themselves, to directly cause the invocation of arbitrary code contained in them. Perhaps your program sets environment variables from untrusted user input. It would be highly unexpected that those environment variables could be manipulated in such a way that the user could run arbitrary commands without your explicit intent to do so using that environment variable for such a reason declared in the code.

— PICKS —

Runs Linux

India’s Mission to Mars, runs Linux

India has made history today by being the first and only country in the world to send a space craft to Mars in first attempt. The country also made history as it achieved it in a budget lesser than the un-scientific Hollywood block buster Gravity; India spent only $71 million on the mission.

Desktop App Pick

How to Protect your Server Against the Shellshock Bash Vulnerability | DigitalOcean

Shellshock BASH Vulnerability Tester

You can use this website to test if your system is vulnerable, and also learn how to patch the vulnerability so you are no longer at risk for attack.

shellshocker · GitHub

Weekly Spotlight

RockStor: Store Smartly: Free Advanced File Storage

✔ Installs on 64-bit commodity hardware or virtual machine
✔ Built on top of Enterprise Linux operating system
✔ Supports NA sharing protocols including Samba/CIFS, NFS and SFTP
✔ Efficient storage management functionility with web-ui or CLI
✔ Extend functionality with plugins

— NEWS —

GNOME 3.14 Released, See What`s New

After six months of development, GNOME 3.14 was released today and it includes quite a few interesting changes such as multi-touch gestures for both the system and applications, re-worked default theme, new animations as well as various enhancements for the code GNOME applications.

Gnome 3.14 reviewed on Arch Linux

In a nutshell I like Gnome 3.14 a lot. It’s a really nice release. Though I am a hard core Plasma user, I see myself spending some time with Gnome, enjoying things like online integration, easy-to-set-up Evolution and many more features which I can’t find in KDE’s Plasma. That said, both are my favorite. They both excel in their focus areas. If you have not tried Gnome yet, do give it a try.

Gesture support in Shell Apart from Touch support in Shell there is also…

Apart from Touch support in Shell there is also support for GNOME apps and in fact some GNOME apps they do use gestures!

GTK+ 3.14 Brings Much Better Wayland Support, Multi-Touch, New Theme

The Wayland changes for GTK+ 3.14 include support for the recently released Wayland 1.6, touch input is now supported, working drag-and-drop support, and support for the GNOME classic mode.

Download GNOME 3.14 ISO (based on Fedora 21)
Touching on Touchscreen Support | Erich Eickmeyer

Touchscreens are no longer just for tablets and phones. Touchscreen laptop computers and desktops are becoming the norm, if not more common, in the computer market. Much of this has been spurred-on by Microsoft and Windows 8, whose “Modern” interface is about as touchscreen-friendly as you can get. In fact, it is what is driving the laptop market to include capacitive touchscreens.

The nosh package

It should also be suitable for filling the gap caused by the
systemd tool not being portable outwith the Linux kernel since it
is known to work on proper BSD and on Debian Linux, and therefore
should work on Debian kFreeBSD.

Ubuntu 14.10 Beta Downloads Now Available

There’s not even a new default desktop wallpaper.

Why GNOME 3.14 Won’t Be Included in Ubuntu 14.10 – OMG! Ubuntu!

Feature Freeze is the point past which no new features, packages or APIs are introduced, with emphasis placed on polish and bug fixing to ensure as stable an experience as possible. Feature Freeze for Ubuntu 14.10 and its flavors came into effect on August 21 — a month prior to the release of GNOME 3.14 Stable.

It’s this tight timeframe that conspires against the Ubuntu GNOME team, making it impossible for them to include latest GNOME stack. If you were one of those who hoped to find GNOME 3.12 in Ubuntu 14.04 LTS, you’ll be familiar with the impact this has.

A series of maintained PPAs — Stable, Staging, and Next — provide backports of newer GNOME releases to Ubuntu, allowing you to optionally roll with (potentially untested) newer software should you want to.