Feeds

Oh SNAP! Old-school '80s Unix hack to smack OSX, iOS, Red Hat?

REAL damage to *nix systems, tools ... via SIMPLE wildcard poison tricks, claims researcher

Using blade systems to cut costs and sharpen efficiencies

Unix-based systems, as used worldwide by sysadmins and cloud providers alike, could be hijacked by hackers abusing a hard-coded vuln that allows them to inject arbitrary commands into shell scripts executed by high-privilege users.

A class of vulnerabilities involving so-called wildcards allows a user to affect shell commands issued by other users through filename manipulation. If the other user is a privileged user, such as root, then the tactic could be used to run elevation of privilege-style attacks.

In the context of programming a wildcard is a character, or set of characters, that can be used as a replacement for some other range or class of characters. Wildcards are interpreted by a shell script before any other action is taken.

The old-school hacking technique, uncovered by security researchers at DefenseCode, uses specially crafted filenames featuring wildcards to inject arbitrary arguments to shell commands run by other users.

DefenseCode's whitepaper contains examples for different Unix commands and their impact if used in combination with wildcards. All Unix derivatives are potentially vulnerable.

Although it might at first appear that the flaw only affects badly-coded shell scripts that are executed by a higher privileged user, implying that it's not especially serious, the effect could go deeper than that, according to third-party analysis of the vulnerability by security consultancy SEC Consult.

SEC Consult reckons the vulnerability has implications for the boot and shutdown sequences of servers running with high privileges on most Unix-like operating systems.

The bug potentially affects Android, iOS, OS X and all the embedded solutions running on Linux. Oracle, RedHat and other commercial Linux based systems might also be at risk.

"Many of these operating systems have different shell utilities and tools accepting even more command line options," SEC Consult notes in a blog post "A short check on Ubuntu gave us at least five commands, besides the ones mentioned in the whitepaper, vulnerable to this specific problem."

Cloud service- or web hosting providers running cron jobs for backups and similar tasks might also be exposed, according to SEC Consult, which argues that the vulnerability is a good candidate for further research.

"Since this bug originates from a design problem it will be very interesting on how operating system vendors address this problem. It is something you cannot fix with a simple patch. The way on how the system interacts with files has to be completely redesigned," SEC Consult writes.

"This is a 'feature' that has been present here since dawn of the internet, but nobody really tried to misuse it previously," explained Leon Juranic, chief exec of DefenseCode, in an email to El Reg."It is both hacking technique and actual vulnerability/weakness of Unix systems. Probably all Unix distributions are vulnerable to this."

"We wanted to inform all major *nix distributions via our responsible disclosure policy about this problem before posting it,” he added, “because it is highly likely that this problem could lead to local root access on many distributions. But, since part of this research contained in the document was mentioned on some blog entries, we are forced to release it in a full version."

Juranic added that the recent release of similarly-themed third-party research prompted DefenseCode to release its analysis - which it had been working on since April 2013 - earlier than it initially intended. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Own a Cisco modem or wireless gateway? It might be owned by someone else, too
Remote code exec in HTTP server hands kit to bad guys
British data cops: We need greater powers and more money
You want data butt kicking, we need bigger boots - ICO
prev story

Whitepapers

Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.