Shellshock – It is serious, but it is no Heartbleed


Cartoon hacker with laptopAfter years of Microsoft Windows operating system vulnerabilities, we find that the new place which has moved to discovering sloppy programming in Java, Abode Flash, and Adobe Reader, and now Linux – with a common denominator is often around the C++ programming language. The issues around the Linux environment, causes Apple users problems, as Mac OS X has built its environment based on an underlying Linux environment.

In the days when Apple struggled to compete against Microsoft and Intel, they made two major choices:

  • Move their architecture from Motorola/IBM (which was build on 68xxx processors) to the x86 architecture used by Intel. This was a smart move as it allowed them to keep up-to-date on hardware against the other PC manufacturers.
  • Move their operating system to Linux. This allow them to reduce their development of their core operating system and focus on the user experience, but still use the reliability of the Linux operating system.

Unfortunately now the move to Linux might be coming back with anger on Apple, as serious flaws are now being found in the core infrastructure. Many bugs, which have gone unnoticed for many users, are being found, and these are often due to a lack of code review and testing. With OpenSSL, for example, and which caused Heartbleed, we still see C++ code developed Eric Young (“eay” lib) in 1998.


Last week, Dr. Web (a Russian security) outlined a new worm for OS X: “Mac.BackDoor.iWorm“, and which allows hackers to take control of the computer, and using it as part of a Botnet, such as for sending spam emails or performing Denial of Service attacks against web sites. Apple, on detecting over 17,000 users with the worm then was quick to respond, and added the signature of iWorm to its malware detector (Xprotect – and which is installed on every Mac computer). A key factor for users is that there Mac needs to be up-to-date with system updates, otherwise they can be open to the spread of the worm. The Xprotect signature defined is:

This worm has been used to search Reddit for a fake discussion forum related to Minecraft and also integrated links to hacker controlled command servers. Reddit then closed the hacker accounts that were used in order to share links to the commands servers, and banned the fake Minecraft subreddit – which stopped the worm from receiving orders from the hackers. There are also rumours that the worm itself was spread though pirated software, such as for Microsoft Office, Adobe Photosho pand Parallels (the virtualisation package used to run other operating systems on the Mac) from The Pirate Bay.

Shell Shock

With Shell Shock the target was again Linux hosts using Bash (GNU Bourne Again Shell), which is the command line interpreter used in many Linux based systems, including Apple OS X. Bash interprets the commands that users enter or are run from scripts, and then makes calls to the operating system, such as for running programs, listing the contents of a directory, or in deleting files. The discovered flaw allows intruders to remotely run arbitrary code on systems such as Linux servers including for web servers, routers, and many embedded systems. It was discovered by Stephane Chazelas of Akamai, who found that code at the end of a function of an exported variable is run whenever an environment variable is used within the Bash environment. Many Linux programs use environmental variables to pass parameters between programs, and the flaw thus allows for code to be inserted into a program whenever these environmental variables are called.

Shellshock focuses on CGI scripts, which are old-fashioned scripts that allow commands to be processed using a scripted language. While popular in the past, it has been largely replaced by PHP and other high-level scripting programs. In most cases CGI scripts reside in the /cgi-bin folder. For GNU Bash through 4.3, trailing strings after a function are processed in the definitions of environment variables. This allows intruders to execute arbitrary cod. For example, we have a function named mybugtest:

billbuchanan@Bills-MacBook-Pro:/tmp$ export mybugtest='() { :;}; echo I AM BUGGY'
billbuchanan@Bills-MacBook-Pro:/tmp$ bash -c "echo Hello"

Shell Shock can comprise a system by injecting a payload of code into the environment variables of a running process. When the process is started, the code is injected into the running program, in the same way as a user typing in some user input.

The code which can appear at the end of the Bash function can be fairly complex, and allow an intruder to inject code into the shell (and thus into running programs). In this example we copy some text into a text file (named newfile) and then copy the file to a new file (newfile2):

$ export mybugtest='() { :;}; echo "This is my new file..." > newfile; cp newfile newfile2'
$ bash -c ""
Segmentation fault: 11
$ ls myf*
myfile   myfile2
$ cat myfile2
This is a test

In this case we could move files around, but we couldn’t move a file to a privileged folder, as that would need administrator rights. In a well secured environment, the damage that Shellshock can cause should be minimal, as most of the important operations require a higher-level privilege. It is this attribute of Shellshock that highlights that this is not another Heartbleed, as Heartbleed allowed anyone to access the privilege area of memory on the server, without any restrictions. While Web servers may be safe, with a limited usage of cgi-bin scripts (which allow privileged access to the system), there may be risks with poorly secured embedded systems, which can often use scripts to setup their services.

Buffer overflows and underruns

The flaw within Bash, shows how sloppy software developers have been in the past, and it is a flaw which has existed for over 25 years without being discovered. Many of the problems being under covered have been caused by poor software coding in the C++ programming language, which often allows programs to act incorrectly when the input data is not formatted as expected. Once common method of exploiting a C++ program is a buffer overflow, where a certain amount of memory is allocated to variables, and where the user enters data which is more than the allocated memory, and which causes other parts of the memory to be overwritten, and cause the program to act incorrectly.

In the case of Heartbleed it was a buffer underrun which caused the problem, where an area of memory was read and which did not actually contain the required amount of data to fill it. If you are interested in Heartbleed, and its cause (OpenSSL):


So after years of Microsoft Windows being the target, hackers are turning the skills onto the Linux operating system, and Mac OS is a target of choice for the end user. The flaws found in iWorm and Shell Shock show that Linux is perhaps not as rock-solid from a security point of view as many thought. With it’s C++ code infrastructure, and lots of code which are now over a decade old, we are likely to see increasing threats on Linux, and thus to Apple devices. To their credit, Apple have been fast to detect, and patch, but there is a danger in users not patching their systems on a regular basis. This often happened on Microsoft Windows, we users often disabled the auto-updates, typically when it caused problems on their computer. So, Apple must make sure that users keep their systems up-to-date, otherwise Apple users may be more of a risk than Windows ones.

One thought on “Shellshock – It is serious, but it is no Heartbleed

  1. Hi bill,
    Thanks for your teaching in Napier. I have the chance to write the IPS rules for this attack at the same day when it has been published. The key words are “|25|28|25|29|25|20|25|7b|25|20”, “(:?(:?\x5e|%5e)|(:?[=?&]|\x25(3d|3f|26)))\s*?(%28|\x28)(%29|\x29)(%20|\x20)(%7b|\x7b)(%20|\x20)”, ” () { “, “|28 29 20 7b 20|” and “[=?&\x2f]\s*?\x28\x29\x20\x7b\x20”. Most of them are HTTP, but can be DHCP, SMTP..etc.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s