As some of you may have heard, a very serious remote vulnerability was discovered disclosed today within bash.

A quick summary of the problem is that bash does not properly process function definitions, which can be exported like shell variables. This is a bit like a SQL/XSS injection problem — you provide an “end” to your input, and continue writing other functions/calls after it, which then get executed.

A quick example:

A vulnerable system looks like this:
vulnerable!

A patched system looks like this:
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’


The second check is:

A vulnerable system looks like this:
date
# ACTUAL DATE/TIME STRING #

A patched system looks like this:
#NOTHING DISPLAYED#

This can be exploited remotely via HTTP requests to CGIs, but also, via AcceptEnv variables, TERM, and SSH_ORIGINAL_COMMAND overrides. By default, openssh accepts LANG and LCC* env. variables.

Important about CGIs/HTTP:
There has been a lot of confusion online about how/what you are exploiting via CGI. By scanning the IP of a server, you are really going for the / (root) path of the server. This check is basically good for two things — discovering vulnerable embedded devices, and finding people that have placed their cgi-bin root on /. The reality is that these are the “quick” targets, but they are not the many.

An example of a proper CGI exploit would look like this, given that /cgi-bin/index.cgi exists and is written in bash:

​Here is the easier way w/ wget in one line:

In this case, throwing stuff at the root (http://192.168.1.100) would produce absolutely nothing.

Also, it’s interesting to note that it looks like there is no way to exploit the second vulnerability via HTTP/CGI.

The CVE for this one the first one is: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271 It seems like this is a “temporary” patch.

The permanent will be is released under: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169 Some are referring to this as “shellshock”.

An update on this is that the following CVEs exist: CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278 – and they are all related under the now catchy “Shellshock” vulnerability.

The full and initial details can be found here: http://seclists.org/oss-sec/2014/q3/650

Also, people like Robert have already started scanning for this: http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html (this is actually an elegant way of doing it I think this has a lot of issues actually — see above about the “Important about CGIs”)

Rapid7 wrote an excellent blog post about this: https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271 You can see a lot of details about the “panic” effect versus the reality of this vulnerability.

Day of release – Update #1:
At last, it looks like there is already an exploit in the wild: http://www.kernelmode.info/forum/viewtopic.php?f=16&t=3505

(note: at this point there are many exploits now — including worms and botnets)

Day of release – Update 2:
It looks like there is a MetaSploit module already: https://github.com/rapid7/metasploit-framework/pull/3880

At last — here is a GREAT video summarizing everything from the SANS institute: https://www.youtube.com/watch?v=W7GaVyzkCs0

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation