Eh, Just Talking About Shellshock Exploit

Oh no! A second major exploit has been revealed within the past year that allows shell access to many machines using GNU's Bash. Who would've thought our systems were so vulnerable all these years? I for one am not surprised. The complexity of GNU applications is actually higher than you may expect! Lets take the `cat` program for example. If you look at this, https://gist.github.com/dchest/1091803, it's clear the GNU version is the most complex of them all. The reason for this is because people accept patches that add feature upon feature to GNU programs, and they tend to grow over the years.

Honestly, depending on how you look at it, the Shellshock exploit is not bash's fault. That was just typical bash behavior. Why would anyone expect a shell such as bash to work exactly how they think it'll work? Someone in ##linux on freenode actually mentioned seeing people using the shellshock syntax before in #bash, but for entirely different purposes. Now these shellshock patches will break all those people's patches! So evil! If you ask someone who's used bash before, they'll tell you it's like working with black magic. I think the Apache guys should have foreseen this, considering it's a relatively simple exploit. Heck I'm assuming tons of developers may have even used this as a feature. Secondly I think no one should be using bash. It's bloated to hell and rarely anyone uses it to its full "potential", if you want to even call it that.

There are many alternative shells out in the wild. I've personally used rc, ipython, and dash. Each have their own script languages. rc's is like C; ipython is obviously python; dash has a simplified bash language. Honestly pick any flavor because they can do the same things. rc is cool because it's a nice minimalistic shell. I liked ipython because python was the scripting language used in the shell. Since bash is so wide spread though, I stick to dash because of their similarities.

With that I leave you with a nice George Carlin video, because why not.


...See you Monday folks! Hopefully one of my neat projects will be done by then so I can write about it. I find after two weeks of writing these posts it's becoming difficult to find things to write about. I have a few things in mind but nothing that fills up the next week.

env X="() { :;} ; echo peace" /bin/sh -c "echo out"

Comments

Popular Posts