Oh SNAP! Old-school '80s Unix hack to smack OSX, iOS, Red Hat?
REAL damage to *nix systems, tools ... via SIMPLE wildcard poison tricks, claims researcher
Unix-based systems, as used worldwide by sysadmins and cloud providers alike, could be hijacked by hackers abusing a hard-coded vuln that allows them to inject arbitrary commands into shell scripts executed by high-privilege users.
A class of vulnerabilities involving so-called wildcards allows a user to affect shell commands issued by other users through filename manipulation. If the other user is a privileged user, such as root, then the tactic could be used to run elevation of privilege-style attacks.
In the context of programming a wildcard is a character, or set of characters, that can be used as a replacement for some other range or class of characters. Wildcards are interpreted by a shell script before any other action is taken.
The old-school hacking technique, uncovered by security researchers at DefenseCode, uses specially crafted filenames featuring wildcards to inject arbitrary arguments to shell commands run by other users.
DefenseCode's whitepaper contains examples for different Unix commands and their impact if used in combination with wildcards. All Unix derivatives are potentially vulnerable.
Although it might at first appear that the flaw only affects badly-coded shell scripts that are executed by a higher privileged user, implying that it's not especially serious, the effect could go deeper than that, according to third-party analysis of the vulnerability by security consultancy SEC Consult.
SEC Consult reckons the vulnerability has implications for the boot and shutdown sequences of servers running with high privileges on most Unix-like operating systems.
The bug potentially affects Android, iOS, OS X and all the embedded solutions running on Linux. Oracle, RedHat and other commercial Linux based systems might also be at risk.
"Many of these operating systems have different shell utilities and tools accepting even more command line options," SEC Consult notes in a blog post "A short check on Ubuntu gave us at least five commands, besides the ones mentioned in the whitepaper, vulnerable to this specific problem."
Cloud service- or web hosting providers running cron jobs for backups and similar tasks might also be exposed, according to SEC Consult, which argues that the vulnerability is a good candidate for further research.
"Since this bug originates from a design problem it will be very interesting on how operating system vendors address this problem. It is something you cannot fix with a simple patch. The way on how the system interacts with files has to be completely redesigned," SEC Consult writes.
"This is a 'feature' that has been present here since dawn of the internet, but nobody really tried to misuse it previously," explained Leon Juranic, chief exec of DefenseCode, in an email to El Reg."It is both hacking technique and actual vulnerability/weakness of Unix systems. Probably all Unix distributions are vulnerable to this."
"We wanted to inform all major *nix distributions via our responsible disclosure policy about this problem before posting it,” he added, “because it is highly likely that this problem could lead to local root access on many distributions. But, since part of this research contained in the document was mentioned on some blog entries, we are forced to release it in a full version."
Juranic added that the recent release of similarly-themed third-party research prompted DefenseCode to release its analysis - which it had been working on since April 2013 - earlier than it initially intended. ®