1 / 16

Shellshock Bash Code Injection Update (Monday September 29 th )

Shellshock Bash Code Injection Update (Monday September 29 th ). Johannes B. Ullrich, Ph.D. jullrich@sans.edu. There are (at least) 6 vulnerabilities. CVE-2014-6271: Original Shellshock flaw. Found ~ Sept. 14 th by Stephane Schazelas. Announced/Patched Wednesday/Thursday Sept 24/25 th

sabina
Download Presentation

Shellshock Bash Code Injection Update (Monday September 29 th )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shellshock Bash Code Injection Update(Monday September 29th) Johannes B. Ullrich, Ph.D. jullrich@sans.edu

  2. There are (at least) 6 vulnerabilities • CVE-2014-6271: Original Shellshock flaw. Found ~ Sept. 14th by Stephane Schazelas. • Announced/Patched Wednesday/Thursday Sept 24/25th • Test String: env x='() { :;}; echo vulnerable' bash -c "test"

  3. CVE-2014-7169: Modified Code Injection • CVE-2014-7169 bypasses protections implemented with the first patch • Found Thursday Sept 25thby Tavis Ormandy patched Friday Sept 26th • Test String: env X='() { (a)=>\' bash -c "echo date";

  4. CVE-2014-7186 • Out of bounds array access discovered by Florian Weimer Sept 25th • Could be triggered by importing array variables • Test String: bash -c 'true <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF <<EOF'

  5. CVE-2014-7187 • word_lineno vulnerability, also found by Florian Weimer Sept. 25th. • Test String: (for x in {1..200} ; do echo "for x$x in ; do :"; done; for x in {1..200} ; do echo done ; done) > test-script.sh $ bash test-script.sh

  6. CVE-2014-6277 6278: bash segfault • Not a lot of details yet • Patch (as source code) available • See Michal Zalewsi’s blog for more details: http://lcamtuf.blogspot.com

  7. Patches? • All major Linux distributions have patches available for CVE-2014-6271 and CVE-2014-7169 (the two original issues) • Source code patches are available for all other bugs and should be packaged for distribution soon

  8. Exploits in the Wild • Many (dozens) of different exploits performing internet wide scans • Most just test for the vulnerability • Others install IRC bots or remote shells • Mostly looking for default “cgi-bin” type vulnerability • Some look for specific scripts

  9. Windows Systems • Usually not vulnerable, but can be made vulnerable by installing bash • Only exploitable via CGI • Cygwin • WAMP • …

  10. OS X • Includes vulnerable version of bash • /bin/sh also vulnerable (but not a symlink to /bin/bash) • Not exploitable by default, unless a web server is enabled with CGI

  11. Non-Web Exploits • DHCP is probably the easiest exploit other then CGI • Attacker needs to run DHCP server • Mostly affects Linux, not OS X / Windows with bash • SSH could be used, but only to escape restricted shells

  12. Vulnerable vs. Exploitable • A vulnerable version of bash is not exploitable unless an attacker can send environment variables • Prioritize exploitable systems (CGI!) • CGI, as part of the CGI standard, passed header (User-Agent…) as environment variables

  13. Other scripting languages • PHP/Python/Perl may still expose vulnerable bash versions if: • They are run as CGI scripts • Environment variables are passed through to bash if called via exec/popen…

  14. What next? • Expect more bash issues • Avoid bash for cgi-bin • Please let us know what breaks after you patch • Inventory! You will have to do this again (and again) • SELinux: check it out, but may not help in this case

  15. Thanks! Questions: jullrich@sans.eduhandlers@isc.sans.edu https://isc.sans.edu/contact.html

  16. https://www.sans.org/webcasts

More Related