Feeds

Oh SNAP! Old-school '80s Unix hack to smack OSX, iOS, Red Hat?

REAL damage to *nix systems, tools ... via SIMPLE wildcard poison tricks, claims researcher

Build a business case: developing custom apps

Unix-based systems, as used worldwide by sysadmins and cloud providers alike, could be hijacked by hackers abusing a hard-coded vuln that allows them to inject arbitrary commands into shell scripts executed by high-privilege users.

A class of vulnerabilities involving so-called wildcards allows a user to affect shell commands issued by other users through filename manipulation. If the other user is a privileged user, such as root, then the tactic could be used to run elevation of privilege-style attacks.

In the context of programming a wildcard is a character, or set of characters, that can be used as a replacement for some other range or class of characters. Wildcards are interpreted by a shell script before any other action is taken.

The old-school hacking technique, uncovered by security researchers at DefenseCode, uses specially crafted filenames featuring wildcards to inject arbitrary arguments to shell commands run by other users.

DefenseCode's whitepaper contains examples for different Unix commands and their impact if used in combination with wildcards. All Unix derivatives are potentially vulnerable.

Although it might at first appear that the flaw only affects badly-coded shell scripts that are executed by a higher privileged user, implying that it's not especially serious, the effect could go deeper than that, according to third-party analysis of the vulnerability by security consultancy SEC Consult.

SEC Consult reckons the vulnerability has implications for the boot and shutdown sequences of servers running with high privileges on most Unix-like operating systems.

The bug potentially affects Android, iOS, OS X and all the embedded solutions running on Linux. Oracle, RedHat and other commercial Linux based systems might also be at risk.

"Many of these operating systems have different shell utilities and tools accepting even more command line options," SEC Consult notes in a blog post "A short check on Ubuntu gave us at least five commands, besides the ones mentioned in the whitepaper, vulnerable to this specific problem."

Cloud service- or web hosting providers running cron jobs for backups and similar tasks might also be exposed, according to SEC Consult, which argues that the vulnerability is a good candidate for further research.

"Since this bug originates from a design problem it will be very interesting on how operating system vendors address this problem. It is something you cannot fix with a simple patch. The way on how the system interacts with files has to be completely redesigned," SEC Consult writes.

"This is a 'feature' that has been present here since dawn of the internet, but nobody really tried to misuse it previously," explained Leon Juranic, chief exec of DefenseCode, in an email to El Reg."It is both hacking technique and actual vulnerability/weakness of Unix systems. Probably all Unix distributions are vulnerable to this."

"We wanted to inform all major *nix distributions via our responsible disclosure policy about this problem before posting it,” he added, “because it is highly likely that this problem could lead to local root access on many distributions. But, since part of this research contained in the document was mentioned on some blog entries, we are forced to release it in a full version."

Juranic added that the recent release of similarly-themed third-party research prompted DefenseCode to release its analysis - which it had been working on since April 2013 - earlier than it initially intended. ®

Endpoint data privacy in the cloud is easier than you think

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
Plug and PREY: Hackers reprogram USB drives to silently infect PCs
BadUSB instructs gadget chips to inject key-presses, redirect net traffic and more
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?