"Shellshock"
I like this trend: major internet security vulnerability, new guitar parody. Most recently we’ve had to deal with Shellshock, an issue where a program called bash
would execute code provided in environment variables, which non-CS people can think of as a sort of transient set of preferences that a program has access to. In a particular bad combination of features, some server software might happen to (deliberately) store information in the environment (like, say, what browser you’re running) and then run bash
to accomplish some particular task. If you say your browser is “Safari”, everything’s okay; if you say it’s “() { :;}; echo vulnerable
” then we have a problem.
There is a song here too.
If you’re on a slow internet connection, you might want to download the audio instead.
The good news about Shellshock is it’s all server-side, so if you’re not running a server there’s not much to worry about (although you should always install security updates from your OS vendor). The bad news is there’s nothing an average person can do to make things better, and these days even random devices (routers, thermostats, phones, cars) could easily be running some small variant of Linux with some networking software and a vulnerable version of bash
installed. Check if those things have security updates, too.
This was a parody of Tom Jones’ “Sex Bomb” (with Mousse T.); unfortunately I can’t find an official online version of the song, but you can find an unofficial one if you look. I can, however, share my first exposure to the song: this a cappella version (live) by the UC Men’s Octet.
As usual, the content of the lyrics should be considered hyperbole and not formal technical advice.
Previously in the Security Vulnerability series: “goto fail
” and “Heartbleeder” .
Send a request to your little site
Hope that it’s running with CGI
If your default system shell isbash
Then I’m ready for the attack
Yeah I’m ready for the attackNow read the parameters that I sent
And stick them in the environment
Pass it down to your system call
Baby, you’ve lost it allShellshock (shellshock)
It’s called shellshock
Run my code remotely with a certain secret knock
Shellshock (shellshock)
Something’s gone wrong
Baby, security’s goneNow, don’t get me wrong, it’s a feature gone bad
Remote code execution should make you sad
If your environment data starts with parens
bash
will read it until the endA real function stops with a curly brace
But add more code and tobash
’s disgrace
It will go ahead and evaluate
Baby, that’s check and mateShellshock (shellshock)
It’s called shellshock
Infiltrate a server with a certain secret knock
Shellshock (shellshock)
That’s what’s gone wrong
Baby, security’s goneI can dump the contents of your password file
I can knock your host offline at a whim
I can set up a server process of my own
And I control devices that have internet withinShellshock
It’s called shellshock
Patches try to figure out the right way they can block
Shellshock (shellshock)
Twenty years wrong
Baby, security’s gone (it’s gone)
Baby, security’s gone (so long)
Baby, security’s gone.