Shellshock Bash Vulnerability

Unix/Linux Bash: Critical security hole uncovered and it seems to be all around in the news. The claim is that popular Linux and Unix shell has a serious security problem that means real trouble for many web servers. Let’s check the facts fist, is this real from some reliable source. There is Vulnerability Summary for CVE-2014-6271 (and updates) so this is real:

“GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment.”

This means that the flaw involves how Bash evaluates environment variables. With specifically crafted variables, a hacker could use this hole to execute shell commands. The vulnerability arises from the fact that you can create environment variables with specially-crafted values before calling the bash shell. These variables can contain code, which gets executed as soon as the shell is invoked.

Does not look good. The repost says that there are vectors involving OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations.RedHat has an extended list of situations that involve Bash in a remote context.

The bash flaw seem to have gotten names. This CVE-2014-6271 is also known as “Shellshock”  or Shell Shocked.

Remember Heartbleed? If you believe the hype today, Shellshock is in that league. The claims that Bash bug as big as Heartbleed seem to be some real justification for that:

The first reason is that the bug interacts with other software in unexpected ways. An enormous percentage of software interacts with the shell in some fashion.

This bash bug has been around for a long, long time. The vulnerability affects versions 1.14 through 4.3 of GNU Bash. That means there are lots of old devices on the network vulnerable to this bug. The number of systems needing to be patched, but which won’t be, is much larger than Heartbleed.

It’s things like CGI scripts that are vulnerable, deep within a website. Nobody knows how many of them are in use and where. For many Unix or Linux Web servers, it’s a major problem. The root of the problem is that Bash is frequently used as the system shell. Thus, if an application calls a Bash shell command via web HTTP or a Common-Gateway Interface (CGI) in a way that allows a user to insert data, the web server could be hacked. Is pretty ‘point and click’ simple to attack. Shellshock Bash Vulnerability Online Checkers Available.

This exploit is really nasty, because it doesn’t require a username or password to trigger it. The major attack vectors that have been identified in this case are HTTP requests and CGI scripts.

This is not only Linux problem. This problem could allow attackers to execute code on Linux, Unix, and Mac OS X.

Internet-of-things devices like video cameras and some SCADA/ICS devices are especially vulnerable because a lot of their software is built from web-enabled bash scripts.They are less likely to be patched. It’s embedded webserves on odd ports that are the real danger.

Bash ‘shellshock’ bug is wormable article says that this thing is clearly wormable, and can easily worm past firewalls and infect lots of systems. Bash bug fallout: Shell Shocked yet? You will be … when this becomes a worm article says that  experts warn much carnage to come.

The race is on. Will you be able to patch before Metasploit has a working exploit? There are coders busy at work putting together a Metasploit module that demonstrates the bash bug (CVE-2014-6271).

Much of the impact of the Shell Shocked vulnerability is unknown and will surface in the coming months as researchers, admins and attackers (natch) find new avenues of exploitation. It’s not just web, but there are other services that are vulnerable, such as the DHCP service reported in the initial advisory. This is the sort of exploit that will be lurking around in all various and sundry sorts of software, both local and remote.

How can I test the system vulnerability?

First you can lock into your Linux system and run the following command to see the version of the bas you have:

bash –version

Red Hat recommends to use the following command to check bash version:

rpm -qa bash

Bug in Bash shell creates big security hole on anything with *nix in it article has simple shell test command (which I could not get working as expected).  How do I recompile Bash to avoid the remote exploit CVE-2014-6271 and CVE-2014-7169? discussion has test code that seems to work. It used the same idea as in Fedora test code.

CVE-2014-6271 / Shellshock & How to handle all the shells!article has one test code. Everything you need to know about the Shellshock Bash bug article has some web request example. Bash ‘shellshock’ scan of the Internet has some example configuration.

There are Shellshock Bash Vulnerability Online Checkers Available, for example CVE-2014-6271/CVE-2014-7169 tes page.

What can you do?

Unix/Linux Bash: Critical security hole uncovered article tells that first you should sanitize the web applications’ inputs. If you’ve already done this against such common attacks as cross-site scripting (XSS) or SQL injection, you’ll already have some protection. Akamai’s recommendation is to switch “away from using Bash to another shell” if possible (the problem could be that alternative shell will not use exactly the same syntax and it may not have all the same features).

Because bash is the system shell other services are in danger. OpenSSH is also vulnerable via the use of AcceptEnv variables, TERM, and SSH_ORIGINAL_COMMAND. However, since to access those you already need to be in an authenticated session, you’re relatively safe. Consider limiting SSH access if you have many users. Switching to zsh only helps if you also removed bash and sh from your system.

Bash Code Injection Vulnerability via Specially Crafted Environment Variables (CVE-2014-6271, CVE-2014-7169) article gives some tips for temporary work-around for web services using mod_security and IPtables.

The real fix will be to replace the broken Bash with a new, secure one. This means lots of work for many administrators to install update. Bash’s developers have patched all current versions of Bash, from 3.0 to 4.3. Most people invest heavily in Windows patching and are utterly awful at patching Linux. Your Linux systems need to apply this patch. Patches have been issued by many of the major Linux distribution vendors for affected versions. You have also option to recompile Bash to avoid the remote exploit CVE-2014-6271 and CVE-2014-7169 because this is open source software. Fedora has instructions how to download and compile. You will need to patch ASAP.

Some systems are naturally immune (geeky bit: for example Debian based systems using Dash instead of Bash) but you should check just in case.

 

58 Comments

  1. Tomi Engdahl says:

    Bored hackers flick Shellshock button to OFF as payloads shrink
    But beware of complacency, warn Akamai bods
    http://www.theregister.co.uk/2014/10/03/shellshock_bored_hackers_giving_up_droves/

    Malicious and benign attacks against systems vulnerable to Shellshock had halved by Sunday after peaking three days following the bug’s disclosure, Akamai researchers say.

    The variety of payloads targeting vulnerable sites increased dramatically over the same period before tapering off, in a possible sign that hackers were bored with the bug.

    The number of unique payloads increased from 43 on day zero to a whopping 10,716 just 24 hours later. It peaked on 27 September at 20,753 before falling off.

    The numbers demonstrated the effectiveness of Shellshock as an attack vector, researchers Ezra Caltum, Adi Ludmer and Ory Segal wrote in a co-authored post.

    “One of the troubling aspects of the Shellshock vulnerability is the ease of exploitation, which can be seen by the dramatic increase in the number of unique payloads between the first and the second days,” they said.

    “The sheer number of creative payloads also demonstrates how effective and deadly this vulnerability can be – most of the scanning and exploitation process is already fully automated.

    “With such a low barrier to entry, and the simplicity of writing powerful exploits, we believe that Shellshock-based attacks are going to stay around for months if not years, and will probably top the botnet infection method charts in the near future.”

    Almost 300,000 gaming domains made up the vast majority of Shellshock targets, with consumer electronics, email marketing among the less affected industries.

    Reply
  2. Tomi Engdahl says:

    Report: Criminals use Shellshock against mail servers to build botnet
    Oct 27, 2014
    http://www.csoonline.com/article/2839054/vulnerabilities/report-criminals-use-shellshock-against-mail-servers-to-build-botnet.html

    However unlikely, their stab in the dark approach is working

    Targeting message transfer agents (MTAs), and mail delivery agents (MDAs), criminals are using Shellshock as a means to create botnets. The process is slow, but working, thanks to unpatched installations of Bash or certain implementations of it.

    “We suspect bad actors may be conducting an initial dry run, in preparation for a real, potentially larger-scale attack. We believe it’s only a matter of time before attackers exploit the vulnerability to redirect users to malicious hosts, which can result in further compromise,” FireEye wrote at the time.

    How right they were. Among the findings from FireEye was a proof-of-concept script that created an IRC-based (Internet Relay Chat) botnet, capable of sending spam, initiating a DDoS attack, or performing remote command execution on the compromised host.

    On Friday, CSO became aware of a Shellshock-based campaign targeting organizations in Europe and the United States. It spreads via email, using Shellshock exploitation code in the message header fields. If successful, it delivers a simple Perl script as the payload, which adds the host to a botnet commanded form IRC.

    The Shellshock campaign targets mail servers, searching for vulnerable MTAs / MDAs. The messages themselves are blank, but the code needed to exploit the Shellshock vulnerability is placed into the message’s headers.

    The script that powers the botnet behind this recent campaign is called Legend, and it has existed for several years now. The Legend script is simplistic, but effective once installed on a system.

    Once installed, Legend will connect the compromised host to a pre-configured IRC server, where the attacker can issue commands individually or as a group.

    The following MTAs / MDAs are directly impacted by Shellshock in some cases, depending on their configuration.

    Courier Mail Server
    Exim
    QMail
    Postfix / Procmail

    There is at least one Shellshock exploit for Postfix circulating online

    Reply
  3. Tomi Engdahl says:

    VXers Shellshocking embedded BusyBox boxen
    It’s 2014 and some people are still using default user names and passwords
    http://www.theregister.co.uk/2014/11/17/vxers_get_busy_shellshocking_busybox_boxen/

    Malware writers have crafted new wares to attack embedded devices running BusyBox and not yet patched against the ShellShock vulnerability, researcher Rhena Inocencio says.

    Miscreants’ tool of choice for such attacks is malware called “Bashlite” that, once executed on a victim machine, probes for devices such as routers and Android phones running BusyBox to brute force logins through a preset list of usernames and passwords.

    Trend Micro’s Inocencio said the variant would download and run bin.sh and bin2.sh scripts to gain control over Busybox systems once a connection was established.

    “Remote attackers can possibly maximise their control on affected devices by deploying other components or malicious software into the system depending on their motive,” Inocencio said.

    “As such, a remote attacker can issue commands or download other files on the devices thus compromising its security.”

    Attackers attempted to log in using user names ‘root’, ‘admin’ and ‘support’ and common and default passwords ‘toor’, ‘password’, ’123456′ and so on.

    Reply
  4. Tomi Engdahl says:

    BASHLITE Malware Uses ShellShock to Hijack Devices Running BusyBox
    http://www.securityweek.com/bashlite-malware-uses-shellshock-hijack-devices-running-busybox

    A new version of the BASHLITE malware is designed to scan compromised networks for devices that use BusyBox and attempts to gain control of them by leveraging the recently disclosed GNU Bash vulnerability referred to as ShellShock.

    ELF_BASHLITE.A checked to see if infected devices were running BusyBox, a set of programs needed to run a Linux system. BusyBox is designed for embedded operating systems such as the ones running on routers.

    A newer version of BASHLITE spotted by Trend Micro researchers (ELF_BASHLITE.SMB) is designed not only to identify systems running BusyBox, but to also hijack them.

    The malware first scans the network for BusyBox devices and attempts to access them by using a predefined list of usernames and passwords. The list of passwords includes “root,” “admin,” “12345,” “pass,” “password” and “123456.”

    “Once a connection is established, it runs the command to download and run bin.sh and bin2.sh scripts, gaining control over the Busybox system,”

    Trend Micro advises administrators to make sure they change the default credentials on their network devices and disable remote shell if possible.

    Earlier this week, the cross-browser testing service BrowserStack revealed that cybercriminals breached an unpatched server using ShellShock and ultimately gained access to customer information.

    Reply
  5. Tomi Engdahl says:

    Is DD-WRT Vulnerable to the Shellshock Bash Bug?
    http://www.stevejenkins.com/blog/2014/09/is-dd-wrt-vulnerable-to-the-shellshock-bash-bug/

    By default, the shell used by DD-WRT is displayed when you ssh into your router:
    BusyBox v1.21.0 (2014-06-07 21:56:38 CEST) built-in shell (ash)
    1

    BusyBox v1.21.0 (2014-06-07 21:56:38 CEST) built-in shell (ash)

    The built-in BusyBox “ash” shell is different than Bash, and I’ve run the exploit tests from my Fedora Shellshock article against ash in DD-WRT and got the following results

    So the good news is that the default ash shell in DD-WRT is not affected by the Shellshock bug.

    Now the bad news…

    If you’ve installed OptWare on your DD-WRT router (if you don’t know what OptWare is… relax, because that means you haven’t installed it), Bash was installed on your DD-WRT router with OptWare. And the Bash shell installed with OptWare is vulnerable to the Shellshock bug, as users on the DD-WRT forums are reporting after running the exploit tests.

    “The only way the shellshock bug could be exploited is, that a user installs an app, e.g. apache that uses cgi to call bash and is available from wan.”

    Reply
  6. Tomi Engdahl says:

    Shellshock Exploits Targeting SMTP Servers at Webhosts

    The persistence of the Shellshock vulnerability remains high more than a month after it first surfaced.

    The latest attacks involved SMTP servers belonging to web hosts, said a report published by the SANS Internet Storm Center.

    “The attack leverages Shellshock as a main attack vector through the subject, body, to, from fields,” BDS said on its website. “Once compromised, a perl botnet is activated and beaconing on IRC for further instructions.”

    The SANS alert said the perl bot contains simple DDoS commands, and can also receive and execute additional malware.

    “It’s unknown which product would specifically be vulnerable to this since Shellshock relies on system level calls and leveraging bash however it seems to be a fairly wide-scale delivery of emails across the United States,” BDS added.
    - See more at: http://threatpost.com/shellshock-exploits-targeting-smtp-servers-at-webhosts/109034#sthash.LbhvONhW.dpuf

    Reply
  7. Tomi Engdahl says:

    Shellshock Attacks Still Cheap and Easy: IBM
    http://www.securityweek.com/shellshock-attacks-still-cheap-and-easy-ibm

    Two and a half years after being discovered, the Shellshock vulnerability continues to be abused in attacks, and for a good reason: it is a very cheap and easy attack, IBM says.

    Discovered in September 2014, Shellshock is a vulnerability found within the bourne-again shell (BASH), the default command shell in almost each and every Linux and Unix system at the time. An attacker able to abuse the security flaw could execute commands with super-user privileges remotely.

    Tracked as CVE-2014-6271, the issue was found to affect a great deal of devices, including Web servers and Internet-of-Things (IoT) devices such as DVRs, printers, automotive entertainment systems, routers and even manufacturing systems. Mac OS X systems were also impacted.

    With many applications relying on BASH, an attacker could exploit the vulnerability by sending a command sequence to the web server to be interpreted with the BASH.

    In July 2015, researchers warned that Shellshock was still being abused, and the attacks continue nearly two years later. Many vulnerable devices haven’t been patched to this day, and attackers are enticed to continue hitting those targets.

    “Attackers need only a server, basic programming skills and access to malware to carry out this type of attack. The level of knowledge and effort required is quite low. Fraudsters can simply launch attacks against hundreds of different IP addresses per minute and wait to hit a vulnerable server by chance,” IBM’s Joerg Stephan explains.

    To carry out a Shellshock attack, an attacker only needs to spend around $5 a month, Stephan says. For just over $30, an attacker could target around 1 million servers within a six-month period, which could translate into 100,000 victims, as roughly 10% of all servers remain unpatched, IBM says.

    To show just how simple it would be to come up with the necessary code, IBM’s researcher published some basic Python code that can do the trick.

    A bash script would download a bot from the server, save it to a certain path, make the file executable and run it, and could also include a line to execute the bot after each reboot, for persistence.

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*