Why doesn't somebody update bash using the exploit?

6 points by Prefinem ↗ HN
So, why doesn't someone exploit bash to update bash. Might do the world a small favor. I was thinking that you could issue several commands to match a range of systems, and all it would take is one to work and then bash would be updated.

15 comments

[ 2.9 ms ] story [ 48.3 ms ] thread
There was actually a great short story in 2600 a few years back about a security researcher using an exploit to create a worm that automatically patched up the vulnerable systems. Quite enjoyable, anyone remember the name of it?
Because that's hacking and totally illegal in most countries.

And this exact question was posted to Ask HN yesterday.

Edit: It looks like yesterday's discussion was flagged out of existence.

My bad, I never saw it... Didn't realize it was ever posted
Because doing so would be illegal.

And why go to jail, literally, for trying to fix other people's mistakes? Few have that little to lose.

Plus companies would claim they spend $$$$ fixing the "damage" you did (e.g. reimage the machine, audits, management meetings about it). They'll claim they "spent" $50K or something stupid after your "illegal break-in" and try to sue you.

I guess in today's world, even doing something helpful, the means that may not be "ethical" is seen as bad...
I certainly wouldn't consider this helpful. I'd rather decide when and if to undertake particular updates to my systems, not have someone else decide to try (and possibly fail) to force one on me in an ad hoc manner.
As the other commentators mention this would almost certainly be illegal, and would fall under computer-misuse laws.

That said the more likely reason is that a lot of the time you couldn't - because the bash-you're exploiting wouldn't have root privileges and would thus be unable to fix the issue.

Ah... Thanks for the explanation... I haven't done a lot of research on it yet, just worked on updating bash to fix it.
Not only would that be illegal, it would be nearly impossible, since you'd have to patch bash at the binary level.

IIR, compiled software on Linux is non-deterministic, so you'd stand an amazingly high chance of damaging the targeted system as opposed to fixing it.

So, if you could pull that one off, you'd not only be a god, but you'd be a god that would probably spend the rest of your life defending yourself in court, where ethics and justice are not really the point.

Just let the process handle it. It's way simpler and far less likely to blow up.

> So, why doesn't someone exploit bash to update bash.

Because each Bash version has different machine-language instructions. There's no realistic way to fix Bash other than by editing the plain-text source and generating binaries for each target processor type.

> ... and all it would take is one to work and then bash would be updated.

Maybe a refresher is indicated, as to the nature of modern computer binaries and how they're created.

> Maybe a refresher is indicated, as to the nature of modern computer binaries and how they're created.

I was assuming executing commands like "apt-get update bash", "yum update bash" etc to cover the majority of distros

But it's both simpler and more effective to issue those commands directly -- they would either perform the update or benignly say that the current Bash version is up to date.

And suppose a particular vulnerability test fails on a Bash version that is nonetheless vulnerable, and therefore fails to install a critical security update?

Then it is still up to the server owner...
In both cases we're talking about someone who has root authority, so the distinction between user and owner is moot.