SHELLSHOCK Exploit: 5 Devastating CyberSecurity Flaws (Part#3)

SHELLSHOCK: 5 Devastating CyberSecurity Flaws (Part#3)

What would you do if you discovered that you cloud issue commands to half the web servers on the internet?

That's the position one software developer found himself in on a September morning in 2014.

he'd discovered a flaw in a program called bash. Bash is a shell, a text-based way to run commands on Linux, Mac and similar operating systems .it installed on most servers.
But the shell also had an obscure feature: when another program ran bash,  it clouds effectively a little note with a miniature program in  it, something like, "Hey, if you're supposed to run a routine called DRAW_A_COW, here's what it looks like."
\   ^__^
 \  (oo)\_______
    (__)\       )\/\
        ||----w |
        ||     ||

 The problem was that this note was itself code, a small program saying, "define the DRAW_A_COW routine as follows." But bash didn't know where to stop. If the note said "Define DRAW_A_COW as 'print' moo"'. Also delete every file in your directory,"Bash would say "yes, sir!" to both commands.
so that gave the developer who discovered it the power to execute commands on roughly half the internet. Fortunately, he was one of the good guys(cybersecurity researcher/bug bounty).

He immediately reported the bug, later dubbed shellshock, to software vendors, giving them a chance to fix it before the news was leaked to the hackers.
Shellshock was terrifying in a different way than stagefright and Eernalblue: Its main victim was internet infrastructure.

Servers that weren't patched were at risk of leaking usernames and passwords, having webpages defaced, being enslaved into cybercrime, or having their organization ' private information released publicly.
In another sense, though, all three of these vulnerabilities were very similar: the root cause was programmer error.

Specifically, in each case, the software received some input that it didn't check properly, a video chunk size, or a command for transferring file information, or code left by another program. Sometimes, though, the problems run even deeper than programming.


Post a Comment

Post a Comment (0)

Previous Post Next Post