Remember that incredibly stupid thing you did a decade or two ago? You wouldn't want to live it down every day. Neither should the Internet
The Shellshock vulnerability has existed for decades. You can bet the attacks that surfaced recently are not the first. No doubt, others used the exploit quietly and told no one. (Iโm looking at you, NSA and China โ I know you are watching me and, thus, know I like cat pictures.)
Frankly, this nasty bug in Bash should not be a big deal โ and wouldnโt be if it werenโt for CGI, one of the most widespread, terrible ideas ever invented.
CGI was created at the start of the Web. Along with ISAPI and NSAPI, it offered one of the first ways to create dynamic Web content. However, it essentially turns your HTTP request into a shell call. Why anyone thought giving strangers even limited shell access over HTTP was a good idea, I do not know.
Quickly, CGI gave way to using scripting languages and templating like JSP and ASP, as well as other connectors to stuff like Java, Visual Basic, and so on. Some of these, however, were launched (originally) with CGI โ and a few still are! Worse, part of the original code is still out there.
With CGI, youโre told โhere is a loaded weapon, use it carefullyโ to create really well-written CGI scripts. Obviously, carefully writing and extensively testing software is a stretch in most large projects. Moreover, in the modern business practice, hiring a few really good developers has long given way to hiring as many cheap developers as possible.
The myth of โletโs be careful with thisโ was smashed with the Shellshock bug. If not for CGI, this bug would be a minor privilege escalation path for users with permissions to kick off shell scripts as root (or other more privileged users). It would not be an โoh, did someone break the Internet again?โ-level threat. The issue is that CGI exposes the HTTP headers as environment variables, and since Bash may be kicking off your shell script, anyone on the Internet can do it.
Itโs time to put CGI to bed. Itโs time for security audits require it be disabled on the Web server. Itโs time to rewrite the code in any of the multitude of methods that followed.
Some of those methods may also have bugs, but I do not think stuff that kicks off dynamic Web applications written in hand-coded C is a tremendously great idea. Why? Because it is not hard to avoid buffer overflows and underruns. Actually, it is easy to not avoid them, as long as you arenโt writing crap code a decade or two ago with a short deadline and no unit tests.
I canโt think of anything Iโve seen exploited more often than badly written CGI scripts. With Bash also needing to be bugless, letโs start removing items from practice that are exposed publicly to all and require the developer to be โvery carefulโ when writing it. Sure, there are other obvious holes in network and computer architectures, but this is one mistake that was stupid at the beginning and has been stripped naked today.
What do you say? Join me in โbashingโ (hehe) CGI. Can we start to wipe it off the planet today?
