Thursday, September 25, 2014

Shellshock is 20 years old (get off my lawn)

The bash issue is 20 years old. By this I don't mean the actual bug is that old (though it appears it might be), but that we've known that long that passing HTTP values to shell scripts is a bad idea.

My first experience with this was in 1995. I worked for "Network General Corporation" (which would later merge with McAfee Associates). At the time, about 1000 people worked for the company. We made the Sniffer, the original packet-sniffer that gave it's name to the entire class of products.

One day, the head of IT comes to me with an e-mail from some unknown person informing us that our website was vulnerable. He was in standard denial, asking me to confirm that "this asshole is full of shit".

But no, whoever had sent us the email was correct, and obviously so. I was enough of a security expert that our IT guy would come to me, but I hadn't considered that bug before (to my great embarrassment), but of course, one glance at the email and I knew it was true. I didn't have to try it out on our website, because it was self evident in the way that CGI scripting worked. I forget the exact details, but it was essentially no different than the classic '/cgi-bin/phf' bug.

So we've known for 20 years that this is a problem, so why does it even happen? I think the problem is that most people don't know how things work. Like the IT guy 20 years ago, they can't look at it and immediately understand the implications and see what's wrong. So, they keep using it. This perpetuates itself into legacy code that we can never get rid of. It's mainframes, 20 years out of date and still a 50-billion dollar a year business for IBM.












7 comments:

Dennis Di Toro said...

Consider how life was 20 years ago w/ Internet, BBS's where closing down because of MIT and T. Berners-Lee for their http thoughts. Are you blaming IBM for a technology that should never have been adopted by commerce? If left alone, BBS had the same services that are reaping Billions today, but with none of the issues security issues plaguing modern day, maybe what's old is new again!

Reza Beha said...

BBSes had security issues of their own. I recall dropping in on other users' sessions when their carriers had dropped without a proper logout.

Justin Goldberg said...

I believe that that's why BBSes had a dialback feature, which is still listed in Active Directory (call-back). Also I believe Novell also had such a feature. You would have to put your modem in answer mode after logging in. This would also defeat people who used caller id blocking on their dialup system as well.

thejasman said...

bbses had call back verifiers, to make sure that the number the user entered for their user app is not a fake.

regarding dennis comparing bbses to the internet, those are apples and oranges. bbses were usually local and had their own personalized feel. the internet and the web are very much different.

btw, i have ran bbses since 1992 and i'm still running 4 bbses and i run several websites with free bbs services.

Dennis Di Toro said...

How easy it to see that "thejasman" is a sock puppet? LOL

thejasman said...
This comment has been removed by the author.
thejasman said...

i'm not a 'sock puppet'
i think you're a bit paranoid.

someone disagrees with you and they must be some fake poster, right?

if you're referring to me using my blogger acct, that is no different than you logging in with your g+ acct. this website required a sign in and i used it.