Feeds

Oh SNAP! Old-school '80s Unix hack to smack OSX, iOS, Red Hat?

REAL damage to *nix systems, tools ... via SIMPLE wildcard poison tricks, claims researcher

Next gen security for virtualised datacentres

Unix-based systems, as used worldwide by sysadmins and cloud providers alike, could be hijacked by hackers abusing a hard-coded vuln that allows them to inject arbitrary commands into shell scripts executed by high-privilege users.

A class of vulnerabilities involving so-called wildcards allows a user to affect shell commands issued by other users through filename manipulation. If the other user is a privileged user, such as root, then the tactic could be used to run elevation of privilege-style attacks.

In the context of programming a wildcard is a character, or set of characters, that can be used as a replacement for some other range or class of characters. Wildcards are interpreted by a shell script before any other action is taken.

The old-school hacking technique, uncovered by security researchers at DefenseCode, uses specially crafted filenames featuring wildcards to inject arbitrary arguments to shell commands run by other users.

DefenseCode's whitepaper contains examples for different Unix commands and their impact if used in combination with wildcards. All Unix derivatives are potentially vulnerable.

Although it might at first appear that the flaw only affects badly-coded shell scripts that are executed by a higher privileged user, implying that it's not especially serious, the effect could go deeper than that, according to third-party analysis of the vulnerability by security consultancy SEC Consult.

SEC Consult reckons the vulnerability has implications for the boot and shutdown sequences of servers running with high privileges on most Unix-like operating systems.

The bug potentially affects Android, iOS, OS X and all the embedded solutions running on Linux. Oracle, RedHat and other commercial Linux based systems might also be at risk.

"Many of these operating systems have different shell utilities and tools accepting even more command line options," SEC Consult notes in a blog post "A short check on Ubuntu gave us at least five commands, besides the ones mentioned in the whitepaper, vulnerable to this specific problem."

Cloud service- or web hosting providers running cron jobs for backups and similar tasks might also be exposed, according to SEC Consult, which argues that the vulnerability is a good candidate for further research.

"Since this bug originates from a design problem it will be very interesting on how operating system vendors address this problem. It is something you cannot fix with a simple patch. The way on how the system interacts with files has to be completely redesigned," SEC Consult writes.

"This is a 'feature' that has been present here since dawn of the internet, but nobody really tried to misuse it previously," explained Leon Juranic, chief exec of DefenseCode, in an email to El Reg."It is both hacking technique and actual vulnerability/weakness of Unix systems. Probably all Unix distributions are vulnerable to this."

"We wanted to inform all major *nix distributions via our responsible disclosure policy about this problem before posting it,” he added, “because it is highly likely that this problem could lead to local root access on many distributions. But, since part of this research contained in the document was mentioned on some blog entries, we are forced to release it in a full version."

Juranic added that the recent release of similarly-themed third-party research prompted DefenseCode to release its analysis - which it had been working on since April 2013 - earlier than it initially intended. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New twist as rogue antivirus enters death throes
That's not the website you're looking for
prev story

Whitepapers

Best practices for enterprise data
Discussing how technology providers have innovated in order to solve new challenges, creating a new framework for enterprise data.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Advanced data protection for your virtualized environments
Find a natural fit for optimizing protection for the often resource-constrained data protection process found in virtual environments.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?