Klaus Knopper answers your Linux questions

Ask Klaus

Article from Issue 169/2014
Author(s):

Answers to your Linux questions.

Shellshock

What about the Shellshock bug? Do I need to update Bash immediately? How can I know if my computer is vulnerable to a remote attack?

Because most distros have an easy-to-use packaging and update system, you should definitely update bash. The commands in Debian-based distros would be

sudo apt-get update
sudo apt-get install bash

which will pull the bug-fixed bash package from the official repository and install it.

The more exciting question is: What can happen if you don't upgrade Bash? Recent news reported a lot of hype about the Bash bug and even made comparisons in severity with the Heartbleed SSL bug (which is totally different, of course). Most articles made it look like everyone with a Bash shell installed should immediately disconnect from the Internet. Which is not true, of course.

The ShellShock bug [1] is simply a programming error in the widely used Bash system shell when parsing shell variables. Storing a shell function in a variable can lead to execution of code if the function definition ends with a semicolon followed by additional commands. Alone, this unexpected behavior is not a remotely exploitable bug, because it affects shells running locally on your computer (i.e., if you feed the shell such a variable definition, the extraneous commands would be executed with permissions of the user calling the shell). You could as well have typed the command by yourself. It does not matter whether or not the computer is connected to the Internet.

Remote attack possibilities of Shellshock arise if two conditions are met:

  • 1. Your computer is running a remote accessible service, like the Apache web server, that additionally has been configured to provide remote execution of a Bash shell – for example, through the CGI interface.
  • 2. The shell, which has become remotely accessible by this, can be fed unfiltered variable definitions from a remote client.

Apart from a web server with CGI turned on (which is not the default setting), the DHCP client, which also acts a server taking care of your computer's connectivity, could be subject to an attack if it tries to store manipulated information in Bash shell variables. However, for a successful attack, the DHCP server, which provides addresses and network setup parameters (i.e., your home router, WLAN access point, dialup modem, or another computer in your network that can act as a DHCP server) needs to be compromised first to deliver manipulated data.

In other words, if your home network is already compromised, it may be possible for the attacker to try to compromise other computers in your home network by checking for vulnerable DHCP clients calling a Bash shell. Well, if your router is already lost, there are a many more attacks possible, of course, but removing the possibility to do this in the DHCP-client-calling-Bash case is still advisable.

Some tests can tell you which (if any) of the known bugs your Bash features  [2].

While you are updating Bash, you should also check which remote accessible services are running on your computer and decide if you really need them. You can get a list of servers, together with the running program names, on your computer using this command (see Listing 1 for sample output):

Listing 1

Output of sudo netstat -tulpen.

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       User       Inode       PID/Program name
tcp        0      0 0.0.0.0:44269           0.0.0.0:*               LISTEN      0          66410       6134/rpc.mountd
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      0          66688       5992/rpcbind
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      114        2684913     26068/named
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      0          17354       3922/cupsd
tcp        0      0 0.0.0.0:39192           0.0.0.0:*               LISTEN      0          66400       6134/rpc.mountd
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      114        2685960     26068/named
tcp        0      0 0.0.0.0:1599            0.0.0.0:*               LISTEN      1000       72357       6208/soffice.bin
tcp        0      0 0.0.0.0:45569           0.0.0.0:*               LISTEN      0          66405       6134/rpc.mountd
tcp        0      0 0.0.0.0:2049            0.0.0.0:*               LISTEN      0          67238       -
udp        0      0 0.0.0.0:52767           0.0.0.0:*                           0          66398       6134/rpc.mountd
udp        0      0 0.0.0.0:56905           0.0.0.0:*                           0          44250619    9682/dhclient
udp        0      0 127.0.0.1:53            0.0.0.0:*                           114        2684912     26068/named
udp        0      0 0.0.0.0:68              0.0.0.0:*                           0          44250651    9682/dhclient
udp        0      0 0.0.0.0:111             0.0.0.0:*                           0          66684       5992/rpcbind
udp        0      0 0.0.0.0:41328           0.0.0.0:*                           0          67285       6134/rpc.mountd
udp        0      0 0.0.0.0:651             0.0.0.0:*                           0          66687       5992/rpcbind
udp        0      0 0.0.0.0:2049            0.0.0.0:*                           0          67240       -
udp        0      0 0.0.0.0:55604           0.0.0.0:*                           0          66408       6134/rpc.mountd
sudo netstat -tulpen

Programs running only on interface 127.0.0.1 (localhost) are usually harmless, whereas you should double-check everything running on the "match-all" address 0.0.0.0, because these are potentially accessible from the Internet.

The worldwide-open ports (marked in yellow in Listing 1) include an NFS server and LibreOffice remote presentation control port, which should be checked. The DHCP client (dhclient, marked in green) ports need to be open for renewal or termination notifications and transfer of update notifications from the DHCP server. Locally running CUPS and name server cache (named) are OK.

Flash Bug?

Installation of the Flash player does not work using the browser. Is this a bug?

Some websites claim that you can install the proprietary Flash plugin for displaying flash web content as a simple browser extension. However, it's actually not that easy, because security restrictions keep your browser from installing programs and libraries system-wide.

Many websites formerly requiring Flash, now work without special plugins using HTML5 canvases, and the browser will take care of starting the correct video player.

However, older content may still require the proprietary Flash browser plugin. On Debian-based systems, you can install it with

sudo apt-get update
sudo apt-get install -t unstable flashplugin-nonfree

or try to update with

sudo update-flashplugin-nonfree --install

or you can check the plugin status with

sudo update-flashplugin-nonfree --status

You might also consider checking whether the alternative free Flash video plugin works for you, which is the package browser-plugin-lightspark in Debian.

The Author

Klaus Knopper is the creator of Knoppix and co-founder of LinuxTag expo. He currently is a Professor, Dipl. Ing., at the University of Applied Sciences Kaiserslautern. If you have a configuration problem, or if you just want to learn more about how Linux works, send your questions to: klaus@linux-magazine.com

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Volatility 2.3

    The Volatility forensic tool helps admins analyze what went wrong on a system. When you need to draw conclusions about malware, or even compromised services, peer into memory with Volatility.

  • Ask Klaus

    Mounting and unmounting network storage devices

  • Ask Klaus!

    Klaus Knopper is the creator of Knoppix and co-founder of LinuxTag expo. He currently works as a teacher, programmer, and consultant. If you have a configuration problem, or if you just want to learn more about how Linux works, send your questions to: klaus@linux-magazine.com

  • Bluetooth Wireless Network

    You can even use Bluetooth as an alternative form of wireless networking. We’ll show you how.

  • Bash 4

    Despite the Bourne-again shell's biblical age and high level of maturity, developers continue to work on it. We take a look at the latest Bash release.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95

News