Feeds

Oh SNAP! Old-school '80s Unix hack to smack OSX, iOS, Red Hat?

REAL damage to *nix systems, tools ... via SIMPLE wildcard poison tricks, claims researcher

Using blade systems to cut costs and sharpen efficiencies

Unix-based systems, as used worldwide by sysadmins and cloud providers alike, could be hijacked by hackers abusing a hard-coded vuln that allows them to inject arbitrary commands into shell scripts executed by high-privilege users.

A class of vulnerabilities involving so-called wildcards allows a user to affect shell commands issued by other users through filename manipulation. If the other user is a privileged user, such as root, then the tactic could be used to run elevation of privilege-style attacks.

In the context of programming a wildcard is a character, or set of characters, that can be used as a replacement for some other range or class of characters. Wildcards are interpreted by a shell script before any other action is taken.

The old-school hacking technique, uncovered by security researchers at DefenseCode, uses specially crafted filenames featuring wildcards to inject arbitrary arguments to shell commands run by other users.

DefenseCode's whitepaper contains examples for different Unix commands and their impact if used in combination with wildcards. All Unix derivatives are potentially vulnerable.

Although it might at first appear that the flaw only affects badly-coded shell scripts that are executed by a higher privileged user, implying that it's not especially serious, the effect could go deeper than that, according to third-party analysis of the vulnerability by security consultancy SEC Consult.

SEC Consult reckons the vulnerability has implications for the boot and shutdown sequences of servers running with high privileges on most Unix-like operating systems.

The bug potentially affects Android, iOS, OS X and all the embedded solutions running on Linux. Oracle, RedHat and other commercial Linux based systems might also be at risk.

"Many of these operating systems have different shell utilities and tools accepting even more command line options," SEC Consult notes in a blog post "A short check on Ubuntu gave us at least five commands, besides the ones mentioned in the whitepaper, vulnerable to this specific problem."

Cloud service- or web hosting providers running cron jobs for backups and similar tasks might also be exposed, according to SEC Consult, which argues that the vulnerability is a good candidate for further research.

"Since this bug originates from a design problem it will be very interesting on how operating system vendors address this problem. It is something you cannot fix with a simple patch. The way on how the system interacts with files has to be completely redesigned," SEC Consult writes.

"This is a 'feature' that has been present here since dawn of the internet, but nobody really tried to misuse it previously," explained Leon Juranic, chief exec of DefenseCode, in an email to El Reg."It is both hacking technique and actual vulnerability/weakness of Unix systems. Probably all Unix distributions are vulnerable to this."

"We wanted to inform all major *nix distributions via our responsible disclosure policy about this problem before posting it,” he added, “because it is highly likely that this problem could lead to local root access on many distributions. But, since part of this research contained in the document was mentioned on some blog entries, we are forced to release it in a full version."

Juranic added that the recent release of similarly-themed third-party research prompted DefenseCode to release its analysis - which it had been working on since April 2013 - earlier than it initially intended. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.