Shellshock
Also known as Bashdoor, is a security bug in the widely used Unix Bash shell which was disclosed on 24 September 2014 though it was the vulnerability since bash was born. Many Internet daemons, such as web servers, use Bash to process certain commands, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.
The bug causes Bash to unintentionally execute commands when they are stored in environment variables in a non-standard form. Within days, a series of further related vulnerabilities in Bash were found, leading to the need for further patches.
Stéphane Chazelas discovered the bug on 12 September 2014 and suggested the name "bashdoor". The bug was assigned the CVE identifier CVE-2014-6271 and kept under embargo until 24 September 2014 14:00 UTC, in order to ensure that security updates were available for most systems as soon as the details were made public.
Analysis of the sourcecode history of Bash shows that the vulnerabilities had existed undiscovered since approximately version 1.13 in 1992. The maintainers of the Bash sourcecode have difficulty pinpointing the time of introduction due to the lack of comprehensivechangelogs.
By 25 September, botnets based on computers compromised with this exploit were being used by attackers for distributed denial-of-service attacks and vulnerability scanning.
Apple Inc. commented that most Mac users were likely not affected, unless they are advanced users.
Background
The Shellshock vulnerability affects Bash, a program that various Unix-based systems use to execute command lines and command scripts. It is often installed as the system's default command line interface.
In Unix-based operating systems, and other operating systems that Bash supports, each running program has its own list of name/value pairs called environment variables. When one program starts another program, it provides an initial list of environment variables for the new program. Separately from these, Bash also maintains an internal list of functions, which are named scripts that can be executed from within Bash. Since Bash is both a command interpreter and a command, it is possible to execute Bash from within Bash. When this happens, the original instance of Bash can export environment variable and function definitions into the new instance. Function definitions are exported by encoding them within the environment variable list as variables whose values begin with parentheses ("()") followed by a function definition. The new instance of Bash, upon starting, scans its environment variable list for values in this format and converts them back into internal functions. Bash performs this conversion by creating a fragment of code from the value and executing it, thereby creating the function 'on-the-fly', but affected versions of Bash do not verify that the fragment is merely a function definition. Therefore, given the opportunity to execute Bash with a chosen value in its environment variable list, an attacker can execute arbitrary commands or exploit other bugs that may exist in Bash's command interpreter.
The name "shellshock" is attributed to Andreas Lindh from a Tweet on September 24, 2014 at 11:16am
Exploitation Vectors
CGI-based web server attack
When a web server uses the Common Gateway Interface (CGI) to handle a document request, it passes various details of the request to a handler program in the environment variable list. For example, the variable HTTP_USER_AGENT has a value that, in normal usage, identifies the program sending the request. If the request handler is a Bash script, or if it executes one, Bash will receive the environment variables passed by the server and will process them as described above. This provides a means for an attacker to trigger the Shellshock vulnerability with a crafted server request, such as one that identifies the requesting program as
() {echo "Hello World";}; echo "You've been hacked". It should be noted that CGI was already considered a security risk, and other methods of handling web server requests are widely used.SSH server example
OpenSSH has a "ForceCommand" feature, where a fixed command is executed when the user logs in, instead of just running an unrestricted command shell. The fixed command is executed even if the user specified that another command should be run; in that case the original command is put into the environment variable "SSH_ORIGINAL_COMMAND". When the forced command is run in a Bash shell (if the user's shell is set to Bash), the Bash shell will parse the SSH_ORIGINAL_COMMAND environment variable on start-up, and run the commands embedded in it. The user has used their restricted shell access to gain unrestricted shell access, using the Shellshock bug.
DHCP example
A DHCP client typically requests and gets an IP address from a DHCP server, but it can also be provided a series of additional options. A malicious DHCP server could provide, in one of these options, a string crafted to execute code on a vulnerable workstation or laptop.
Check your vulnerability
Run below exploits in your bash shell:
Exploit 1
env x='() { :;}; echo vulnerable' bash -c "echo this is a test"If output shows 'vulnerable', you are vulnerable.
Exploit 2
env -i X=' () { }; echo hello' bash -c 'date'
if output is 'hello', you are vulnerable.
Exploit 3
cd /tmp; env X='() { (a)=>\' bash -c "echo date"; cat echo
If output is gives date and errors, you are still vulnerable. If output shows word 'date' and errors, you are not.
Exploit 4
bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF' || echo "CVE-2014-7186 vulnerable, redir_stack"
Exploit 5
(for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) | bash || echo "CVE-2014-7187 vulnerable, word_lineno"
Solution
Check your bash version
#bash --version
Update bash
#yum update bash
Source:
http://en.wikipedia.org/wiki/Shellshock_(software_bug)
http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html
No comments:
Post a Comment