Ask HN: Could we use Shellshock to patch vulnerable systems?

[mperd]

Since we know that it took weeks before most servers were fixed from the Heartbleed vulnerability, couldn't we use Shellshock to make a worm that would upgrade bash wherever it can? Are there legal issues about fixing a vulnerability in a system that doesn't belongs to you?

[edit] Ok, I guess the part about the legal issues was a bit candid. What I am really saying is wouldn't it be a good thing to have a worm closing vulnerabilities, compared to the thousands of hackers exploiting this vulnerability to steal or spy?

[johngalt]

It would be treated the same as exploiting a system for any other reason.

Friendly worms have been done before (welchia). The problems with friendly worms are numerous. It is more than just a legal issue. A malicious worm is looking to propagate quietly and perhaps leave some sort of backdoor control channel. A friendly worm has to propagate (faster than malicious worms), and patch (without DDoSing patching infrastructure), and self terminate (which harms it's ability to propagate). It's hard to imagine a real world scenario where a friendly worm would be effective. It would either take too long to develop, or it would do just as much damage as a regular worm.

[mperd]

Thanks, I did not know about that kind of worms or about the Welchia worm.

[feth]

In France, you deserve 3 years in jail and a fine of 45000€ for this.

http://www.legifrance.gouv.fr/affichCodeArticle.do?idArticle...

[thrillgore]

Since this is a RCE bug, sure, you can fix it. But its not your place to fix a vulnerability. It's on the vendor to provide the patch.

I will point out like its been pointed out in another comment this probably breaks the law somewhere.

[krapp]

>Are there legal issues about fixing a vulnerability in a system that doesn't belongs to you?

Yes. Because it doesn't belong to you. Therefore you have no right to 'fix' it.

[therealidiot]

I'm pretty sure in many places this would be illegal

Definitely in the UK

[JensRantil]

It's a good idea, but I would expext most applications vulnerable to not run as root. You would need to be root to patch the bash executable.

[mperd]

Good point. So I guess one would have to combine that with another vulnerability to be able to get root privileges.

We could also imagine a worm contacting the owner of the server and asking her to fix it.

[Spoom]

If you attempted to do this, you would likely end up in jail for a very long time under the CFAA. Fair warning.