myne4 Or is it GNU/X/{GNOME|KDE|XFCE|LXDE}/Mozilla/LibreOffice/Linux?

Wut?

Umm, can someone explain?

Ekanshdeep Gupta No, we can't. You must be a Unix nerd to understand.

@@RonJohn63 Just explain it xD

I totally agree. For the system to be vulnerable an attacker still needs some attack vector allowing him/her to exploit the bug in the bash. CGI scripts can be such a vector, but newer technologies like FastCGI, WSGI are not (data from front end server like Apache is not being send to back end application via shell environment variables). Unfortunately this still leaves many devices and servers vulnerable as there are still many CGI apps out there.

Look at the source of bash and you'll know. The source of bash isn't that simple. Maybe something similar like OpenSSL: "Eew, no, I don't want to contribute to a project with such a source."

Well of course it's simple once you know about it

Jarin Udom But there sure was someone who tested it for bugs or something! I don't get how this stayed unnoticed for over a quarter of a century! Well, maybe it's just been luck.

Zardo Schneckmag There are (literally) thousands of different use cases which have to be tested for something as complex as bash. This is something which could have been tested but probably was not thought to do. Testing the function definition feature probably missed it. As others have said its taken decades before someone realized this could be done.

***** How can it beat C++ if it is a subset thereof? Also games and non Gtk GUI applications are usually written in C++ (and some in Objective C).

You can use that to download and execute malware.

@@abdulelahfallatah It's not a "virus", it's just a bug in the way it interprets environment variables. This won't affect systems that don't use bash, and this was immediately patched and is no longer an issue on modern *nix systems.

Android, as far as my research shows, is not vulnerable as it uses a custom shell, not Bash.

IceMetalPunk Ah OK.

***** Well, I generally use a PC with Windoof and just a cheap Smartphone. Normally you shouldn't even connect to a public networks or be visible from outside the router with your iPhone per port forwarding. Also I will check my router now, it's a FritBox but I don't know if the services running on there are also Linux Kernel based.

***** :P

***** Also if you're on jailbroken iOS 7 there is a patch in Cydia for it.

The ability to pass functions through environment variables is a feature. However, exploiting these variables to run code as the variable is parsed is not.

So you can run functions other than just echo?

you can pretty much do anything you can do in the terminal with this. lets say wget some script then execute said script.

***** So you can use this to execute programs at root level without actually having root access?

Taesh No! Not unless you combine it with some other privilege escalation exploit (which would be found elsewhere, not in bash itself). Even if someone can execute arbitrary code, it would be using the (limited) privileges of the user who started the specific bash instance (for example, the web server). Which is the reason that anyone running web services as root fully deserves what's coming at them...

How do you write KZbin comments on a composite TV?

using my XP SP3 pc w/ dial up kappa

kingemocut Yeah, because that's safe. There are no more security updates for XP.

***** no, i was being sarcastic.

If you have the Cygwin environment installed on your WinXP system , then you might still use an exploitable bash installed and running.

That typically solves most problems, yes.

SBwingman But will they cover it? (and demonstrate it)

***** Watch Joel’s Windows 98 destruction video.

+dattebenforcer Deleting System 32 is a huge bug in the Windows operating system.

Ryan Mattox I know, I deleted it from my PC and now it runs super fast and never crashes.

Yes to both :D

A function has to be marked for export, such as by the "-f" option to export. One of Bash's options is to export all newly created variables and functions, and is a settable parameter. One of your files (say /etc/bashrc) may have turned this off; I'm not sure what the default is. As a result, "helo" is not exported into the new environment. Dr. Bagley's Bash environment may be different from yours. It's possible if you were to execute "set -a" before trying that example that it would work. The trouble would be is if your Bash startup files turn that off, the new invocation of bash in that example would not pay attention to your "set -a" command. It may very well be turned off as a response to Shellshock. The maintainers of your GNU/Linux distribution may think the feature is used so little that breaking scripts which depend on this behavior is more acceptable than letting the exported function bug do damage. It's tough to say, I'm just waxing philosophical, and cannot speak for whoever maintains your Bash.

rchandraonline It is possible. In fact, i've tried to replicate the bug in another way, but it doesn't seem feasible. 'export -f' only accepts the function name as argument, hence it is safe. What I cannot find is how to turn on automatic export of newly created variables and functions. My bashrc file does not contain anything related apparently, so I'm assuming that by default the feature is turned off. Do you know how to turn it on? Thank you for your explaination btw!

Linux Mint doesn't use bash but a somewhat stripped down shell called dash. It doesn't have this bug. en.wikipedia.org/wiki/Almquist_shell

That'd be "set -a". Use man bash and look at the builtins section where it discusses the set command. I have a really tough time believing Mint does not have Bash. It may be an optional package (not installed by default). I use Fedora and Xubuntu myself, and the latter is a Debian derivative, as are Ubuntu and Mint.

+Edgewalker001 While it's true that Android is based of Linux, by Linux they mean the Linux kernel, not GNU, so programs built for Android won't run on Linux, and programs made for Linux won't run on Android unless there's a compatibility layer. Android is about as related to Linux as OSX is.

Atari Falcon.

DrSteveBagley And a Mega ST next to it. I am not sure what the desktop is though, seems like Teradesk. Anyway, if you are running bash on MiNT for the falcon that was also vulnerable so it's best to update.

even if an example exploit is simple does not mean the code that allows for the exploit is. But let's not forget all the awesome bash has given us, and now it is more secure then before, so we should still keep using it.

Arguably, it always was a (mis)feature, not a bug.

Jardar Oehrn hmmm... how many letters do you have to type to delete your entire hard drive with bash? That's how simple the exploit is.

You circumvented my entire statement there.

Surely it wasnt picked up?? - it is almost a typo!

"scan unseen". Maybe some unix program to check mail on the local mailserver? Bash doesn't have a builtin for checking mail, instead you invoke a unix program from bash to check your mail. For instance you can use the program "curl" to check your gmail inbox.

Needs root access/privileges though. Thanks.

If you ran the code yourself, it would harm your computer.

Thanks, that explains it!

CyborgNinja7 "to me, it seems like an obvious exploit ... I don't know much about Bash" You are a perfect example of the Dunning-Kruger effect.

RonJohn63 That's right. Ignore the rest of the comment. Consider getting a life.

+RonJohn63 Hardly, the fact that he himself points out his lack of experience shows that the Dunning-Kruger effect doesn't apply. A better example would be you who assumes that you understand what the Dunning-Kruger effect is even though you clearly don't.

Funny how he says I'm pontificating by asking questions. Real arrogant of me.

joseph byerly I don't think you know what "pretentious" means.

t@sys:~$$helo (): command not found

Almost disliked for that "GNU/Linux" line, after he corrected it ;)