-
Notifications
You must be signed in to change notification settings - Fork 1
/
understanding-the-shellshock-vulnerability.html
429 lines (362 loc) · 35.7 KB
/
understanding-the-shellshock-vulnerability.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title>Understanding the Shellshock Vulnerability</title>
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="">
<meta name="author" content="Marina von Steinkirch">
<!-- Le styles -->
<link rel="stylesheet" href="./theme/css/bootstrap.dark.css" type="text/css" />
<style type="text/css">
body {
padding-top: 60px;
padding-bottom: 40px;
}
.tag-1 {
font-size: 13pt;
}
.tag-2 {
font-size: 11pt;
}
.tag-2 {
font-size: 10pt;
}
.tag-4 {
font-size: 8pt;
}
</style>
<link href="./theme/css/bootstrap-responsive.dark.css" rel="stylesheet">
<link href="./theme/css/font-awesome.css" rel="stylesheet">
<link href="./theme/css/pygments.css" rel="stylesheet">
<!-- Le fav and touch icons -->
<link rel="shortcut icon" href="./theme/images/favicon.ico">
<link rel="apple-touch-icon" href="./theme/images/apple-touch-icon.png">
<link rel="apple-touch-icon" sizes="72x72" href="./theme/images/apple-touch-icon-72x72.png">
<link rel="apple-touch-icon" sizes="114x114" href="./theme/images/apple-touch-icon-114x114.png">
<link href="./feeds/all.atom.xml" type="application/atom+xml" rel="alternate" title="chmod +x singularity.sh ATOM Feed" />
</head>
<body>
<div class="navbar navbar-fixed-top">
<div class="navbar-inner">
<div class="container-fluid">
<a class="btn btn-navbar" data-toggle="collapse" data-target=".nav-collapse">
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</a>
<a class="brand" href="./index.html">chmod +x singularity.sh </a>
<div class="nav-collapse">
<ul class="nav">
<li class="divider-vertical"></li>
<ul class="nav pull-right">
<li><a href="./authors.html">About</a></li>
<li><a href="./archives.html"><b>Archives</b></a></li>
<li>
<a href="https://github.com/bt3gl">github
<!--<i class="icon-github-sign icon-large" ></i>-->
</a></li>
<li>
<a href="https://twitter.com/1bt337">
<!--<i class="icon-twitter-sign icon-large"></i> -->
twitter
</a></li>
<li><a href="http://bt3gl.github.io/projects_page/index.html">Bygone Playful Times
</a></li>
</ul>
</ul>
<!--<p class="navbar-text pull-right">Logged in as <a href="#">username</a></p>-->
</div><!--/.nav-collapse -->
</div>
</div>
</div>
<div class="container-fluid">
<div class="row">
<div class="span9" id="content">
<section id="content">
<article>
<header>
<h1>
<a href=""
rel="bookmark"
title="Permalink to Understanding the Shellshock Vulnerability">
Understanding the Shellshock Vulnerability
</a>
</h1>
</header>
<div class="entry-content">
<div class="well">
<footer class="post-info">
<abbr class="published" title="2014-10-01T12:21:00">
Wed 01 October 2014 </abbr>
<span class="label"> Category</span>
<a href="./category/vulnerabilities.html"><i class="icon-folder-open"></i>Vulnerabilities</a>
<span class="label">Tags</span>
<a href="./tag/shellshock.html"><i class="icon-tag"></i>Shellshock</a>
<a href="./tag/bash.html"><i class="icon-tag"></i>Bash</a>
<a href="./tag/command_injection.html"><i class="icon-tag"></i>Command_Injection</a>
</footer><!-- /.post-info --> </div>
<p><img alt="" src="http://i.imgur.com/kjkWTWV.png" /></p>
<p>Almost a week ago, a new (<a href="http://blog.erratasec.com/2014/09/shellshock-is-20-years-old-get-off-my.html">old</a>) type of <a href="http://cwe.mitre.org/data/definitions/78.html">OS command Injection</a> was reported. The <strong>Shellshock</strong> vulnerability, also know as <strong><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271">CVE-2014-6271</a></strong>, allows attackers to inject their own code into <a href="http://www.gnu.org/software/bash/">Bash</a> using specially crafted <strong>environment variables</strong>, and it was disclosed with the following description:</p>
<div class="highlight"><pre> <span class="nx">Bash</span> <span class="nx">supports</span> <span class="nx">exporting</span> <span class="nx">not</span> <span class="nx">just</span> <span class="nx">shell</span> <span class="nx">variables</span><span class="p">,</span> <span class="nx">but</span> <span class="nx">also</span> <span class="nx">shell</span> <span class="nx">functions</span> <span class="nx">to</span> <span class="nx">other</span> <span class="nx">bash</span> <span class="nx">instances</span><span class="p">,</span> <span class="nx">via</span> <span class="nx">the</span> <span class="nx">process</span> <span class="nx">environment</span> <span class="nx">to</span><span class="p">(</span><span class="nx">indirect</span><span class="p">)</span> <span class="nx">child</span> <span class="nx">processes</span><span class="p">.</span> <span class="nx">Current</span> <span class="nx">bash</span> <span class="nx">versions</span> <span class="nx">use</span> <span class="nx">an</span> <span class="nx">environment</span> <span class="nx">variable</span> <span class="nx">named</span> <span class="nx">by</span> <span class="nx">the</span> <span class="kd">function</span> <span class="nx">name</span><span class="p">,</span> <span class="nx">and</span> <span class="nx">a</span> <span class="kd">function</span> <span class="nx">definition</span> <span class="nx">starting</span> <span class="kd">with</span> <span class="err">“</span><span class="p">()</span> <span class="p">{</span><span class="err">”</span> <span class="k">in</span> <span class="nx">the</span> <span class="nx">variable</span> <span class="nx">value</span> <span class="nx">to</span> <span class="nx">propagate</span> <span class="kd">function</span> <span class="nx">definitions</span> <span class="nx">through</span> <span class="nx">the</span> <span class="nx">environment</span><span class="p">.</span> <span class="nx">The</span> <span class="nx">vulnerability</span> <span class="nx">occurs</span> <span class="nx">because</span> <span class="nx">bash</span> <span class="nx">does</span> <span class="nx">not</span> <span class="nx">stop</span> <span class="nx">after</span> <span class="nx">processing</span> <span class="nx">the</span> <span class="kd">function</span> <span class="nx">definition</span><span class="p">;</span> <span class="nx">it</span> <span class="nx">continues</span> <span class="nx">to</span> <span class="nx">parse</span> <span class="nx">and</span> <span class="nx">execute</span> <span class="nx">shell</span> <span class="nx">commands</span> <span class="nx">following</span> <span class="nx">the</span> <span class="kd">function</span> <span class="nx">definition</span><span class="p">.</span>
<span class="nx">For</span> <span class="nx">example</span><span class="p">,</span> <span class="nx">an</span> <span class="nx">environment</span> <span class="nx">variable</span> <span class="nx">setting</span> <span class="nx">of</span>
<span class="nx">VAR</span><span class="o">=</span><span class="p">()</span> <span class="p">{</span> <span class="nx">ignored</span><span class="p">;</span> <span class="p">};</span> <span class="err">/bin/id</span>
<span class="nx">will</span> <span class="nx">execute</span> <span class="o">/</span><span class="nx">bin</span><span class="o">/</span><span class="nx">id</span> <span class="nx">when</span> <span class="nx">the</span> <span class="nx">environment</span> <span class="nx">is</span> <span class="nx">imported</span> <span class="nx">into</span> <span class="nx">the</span> <span class="nx">bash</span> <span class="nx">process</span><span class="p">.</span> <span class="p">(</span><span class="nx">The</span> <span class="nx">process</span> <span class="nx">is</span> <span class="k">in</span> <span class="nx">a</span> <span class="nx">slightly</span> <span class="kc">undefined</span> <span class="nx">state</span> <span class="nx">at</span> <span class="k">this</span> <span class="nx">point</span><span class="p">.</span> <span class="nx">The</span> <span class="nx">PATH</span> <span class="nx">variable</span> <span class="nx">may</span> <span class="nx">not</span> <span class="nx">have</span> <span class="nx">been</span> <span class="nx">set</span> <span class="nx">up</span> <span class="nx">yet</span><span class="p">,</span> <span class="nx">and</span> <span class="nx">bash</span> <span class="nx">could</span> <span class="nx">crash</span> <span class="nx">after</span> <span class="nx">executing</span> <span class="o">/</span><span class="nx">bin</span><span class="o">/</span><span class="nx">id</span><span class="p">,</span> <span class="nx">but</span> <span class="nx">the</span> <span class="nx">damage</span> <span class="nx">has</span> <span class="nx">already</span> <span class="nx">happened</span> <span class="nx">at</span> <span class="k">this</span> <span class="nx">point</span><span class="p">.)</span>
<span class="nx">The</span> <span class="nx">fact</span> <span class="nx">that</span> <span class="nx">an</span> <span class="nx">environment</span> <span class="nx">variable</span> <span class="kd">with</span> <span class="nx">an</span> <span class="nx">arbitrary</span> <span class="nx">name</span> <span class="nx">can</span> <span class="nx">be</span> <span class="nx">used</span> <span class="nx">as</span> <span class="nx">a</span> <span class="nx">carrier</span> <span class="k">for</span> <span class="nx">a</span> <span class="nx">malicious</span> <span class="kd">function</span> <span class="nx">definition</span> <span class="nx">containing</span> <span class="nx">trailing</span> <span class="nx">commands</span> <span class="nx">makes</span> <span class="k">this</span> <span class="nx">vulnerability</span> <span class="nx">particularly</span> <span class="nx">severe</span><span class="p">;</span> <span class="nx">it</span> <span class="nx">enables</span> <span class="nx">network</span><span class="o">-</span><span class="nx">based</span> <span class="nx">exploitation</span><span class="p">.</span>
</pre></div>
<p>Even more scary, the <a href="http://nvd.nist.gov/">NIST vulnerability database</a> has rated <a href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271">this vulnerability “10 out of 10” in terms of severity</a>. At this point, there are claims that the <a href="http://www.securityweek.com/shellshock-attacks-could-already-top-1-billion-report?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Securityweek+%28SecurityWeek+RSS+Feed%29">Shellshock attacks could already top 1 Billion</a>. <a href="http://www.alienvault.com/open-threat-exchange/blog/attackers-exploiting-shell-shock-cve-2014-6721-in-the-wild">Shellshock-targeting DDoS attacks and IRC bots were spotted less than 24 hours after news about Shellshock went public last week!</a>. Matthew Prince, from <a href="https://www.cloudflare.com/">Cloudflare</a>, said yesterday that they are "<a href="https://twitter.com/eastdakota/status/516457250332741632">seeing north of 1.5 million Shellshock attacks across the CloudFlare network daily</a>". In the same day, the <a href="http://www.incapsula.com/blog/shellshock-bash-vulnerability-aftermath.html,">Incapsula</a> team released several plots showing that their application firewall had deflected over 217,089 exploit attempts on over 4,115 domains. Although almost 70% were scanners (to attempt to verify the vulnerability), almost 35% where either payloads to try to hijack the server or <a href="http://en.wikipedia.org/wiki/Denial-of-service_attack">DDoS</a> malware.</p>
<p>Pretty nasty stuff, huh?</p>
<hr />
<h2>Understanding the Bash Shell</h2>
<p>To understand this vulnerability, we need to understand how Bash handles functions and environment variables.</p>
<p>The <a href="http://www.gnu.org/software/bash/">GNU Bourne Again shell (BASH)</a> is a <a href="http://en.wikipedia.org/wiki/Bash_(Unix_shell)">Unix shell</a> and <a href="http://en.wikipedia.org/wiki/Command-line_interface">command language interpreter</a>. It was released in 1989 by <a href="http://en.wikipedia.org/wiki/Brian_Fox_(computer_programmer)">Brian Fox</a> for the <a href="http://www.gnu.org/gnu/thegnuproject.html">GNU Project</a> as a free software replacement for the <a href="http://en.wikipedia.org/wiki/Bourne_shell">Bourne shell</a> (which was born back in 1977).</p>
<div class="highlight"><pre><span class="nv">$ </span>man bash
NAME
bash - GNU Bourne-Again SHell
SYNOPSIS
bash <span class="o">[</span>options<span class="o">]</span> <span class="o">[</span>file<span class="o">]</span>
COPYRIGHT
Bash is Copyright <span class="o">(</span>C<span class="o">)</span> 1989-2011 by the Free Software Foundation, Inc.
DESCRIPTION
Bash is an sh-compatible <span class="nb">command </span>language interpreter that executes commands <span class="nb">read </span>from the standard input or from a file. Bash also incorporates useful features from the Korn and C shells <span class="o">(</span>ksh and csh<span class="o">)</span>.
<span class="o">(</span>...<span class="o">)</span>
</pre></div>
<p>Of course, there are <a href="http://en.wikipedia.org/wiki/Comparison_of_command_shells">other command shells out there</a>. However, Bash is the default shell for most of the Linux systems (and Linux-based systems), including many Debian-based distributions and the Red Hat & Fedora & CentOS combo.</p>
<h3>Functions in Bash</h3>
<p>The interesting stuff comes from the fact that Bash is also a scripting language, with the ability to define functions. This is super useful when you are writing scripts. For example, <code>hello.sh</code>:</p>
<div class="highlight"><pre><span class="c">#!/bin/bash</span>
<span class="k">function </span>hello <span class="o">{</span>
<span class="nb">echo </span>Hello!
<span class="o">}</span>
hello
</pre></div>
<p>which can be called as:</p>
<div class="highlight"><pre><span class="nv">$ </span>chmod a+x hello.sh
<span class="nv">$ </span>./hello.sh
Hello!
</pre></div>
<p>A function may be compacted into a single line. You just need to choose a name and put a <code>()</code> after it. Everything inside <code>{}</code> will belong to the scope of your function.</p>
<p>For example, we can create a function <code>bashiscool</code> that uses <code>echo</code> to display message on the standard output:</p>
<div class="highlight"><pre><span class="nv">$ </span>bashiscool<span class="o">()</span> <span class="o">{</span> <span class="nb">echo</span> <span class="s2">"Bash is actually Fun"</span>; <span class="o">}</span>
<span class="nv">$ </span>bashiscool
Bash is actually Fun
</pre></div>
<h3>Child Processes and the <code>export</code> command</h3>
<p>We can make things even more interesting. The statement <code>bash -c</code> can be used to execute a new instance of Bash, as a subprocess, to run new commands (<code>-c</code> passes a string with a command). The catch is that the child process does not inherit the functions or variables that we defined in the parent:</p>
<div class="highlight"><pre><span class="nv">$ </span>bash -c bashiscool <span class="c"># spawn nested shell</span>
bash: bashiscool: <span class="nb">command </span>not found
</pre></div>
<p>So before executing a new instance of Bash, we need to export the <strong>environment variables</strong> to the child. That's why we need the <code>export</code> command. In the example below, the flag <code>-f</code> means <em>read key bindings from filename</em>:</p>
<div class="highlight"><pre><span class="nv">$ </span><span class="nb">export</span> -f bashiscool
<span class="nv">$ </span>bash -c bashiscool <span class="c"># spawn nested shell</span>
Bash is actually Fun
</pre></div>
<p>In other words, first the <code>export</code> command creates a <strong>regular environment variable</strong> containing the function definition. Then, the second shell reads the environment. If it sees a variable that looks like a function, it evaluates this function!</p>
<h3>A Simple Example of an Environment Variable</h3>
<p>Let's see how environment variables work examining some <em>builtin</em> Bash command. For instance, a very popular one, <code>grep</code>, is used to search for pattern in files (or the standard input).</p>
<p>Running <code>grep</code> in a file that contains the word 'fun' will return the line where this word is. Running <code>grep</code> with a flag <code>-v</code> will return the non-matching lines, <em>i.e.</em> the lines where the word 'fun' does not appear:</p>
<div class="highlight"><pre><span class="nv">$ </span><span class="nb">echo</span> <span class="s1">'bash can be super fun'</span> > file.txt
<span class="nv">$ </span><span class="nb">echo</span> <span class="s1">'bash can be dangerous'</span> >> file.txt
<span class="nv">$ </span>cat file.txt
bash can be super fun
bash can be dangerous
<span class="nv">$ </span>grep fun file.txt
bash can be super fun
<span class="nv">$ </span>grep -v fun file.txt
bash can be dangerous
</pre></div>
<p>The <code>grep</code> command uses an environment variable called <strong>GREP_OPTIONS</strong> to set default options. This variable is usually set to:</p>
<div class="highlight"><pre><span class="nv">$ </span><span class="nb">echo</span> <span class="nv">$GREP_OPTIONS</span>
--color<span class="o">=</span>auto
</pre></div>
<p>To update or create a new environment variable, it is not enough to use the Bash syntax <code>GREP_OPTIONS='-v'</code>, but instead we need to call the <em>builtin</em> <code>export</code>:</p>
<div class="highlight"><pre><span class="nv">$ GREP_OPTIONS</span><span class="o">=</span><span class="s1">'-v'</span>
<span class="nv">$ </span>grep fun file.txt
bash can be super fun
<span class="nv">$ </span><span class="nb">export </span><span class="nv">GREP_OPTIONS</span><span class="o">=</span><span class="s1">'-v'</span>
<span class="nv">$ </span>grep fun file.txt
bash can be dangerous
</pre></div>
<h3>The <code>env</code> command</h3>
<p>Another Bash <em>builtin</em>, the <code>env</code> prints the environment variables. But it can also be used to run a single command with an exported variable (or variables) given to that command. In this case, <code>env</code> starts a new process, then it modifies the environment, and then it calls the command that was provided as an argument (the <code>env</code> process is replaced by the command process).</p>
<p>In practice, to use <code>env</code> to run commands, we:</p>
<div class="highlight"><pre> <span class="mi">1</span><span class="p">.</span> <span class="nx">set</span> <span class="nx">the</span> <span class="nx">environment</span> <span class="nx">variable</span> <span class="nx">value</span> <span class="kd">with</span> <span class="nx">env</span><span class="p">,</span>
<span class="mi">2</span><span class="p">.</span> <span class="nx">spawn</span> <span class="nx">a</span> <span class="k">new</span> <span class="nx">shell</span> <span class="nx">using</span> <span class="nx">bash</span> <span class="o">-</span><span class="nx">c</span><span class="p">,</span>
<span class="mi">3</span><span class="p">.</span> <span class="nx">pass</span> <span class="nx">the</span> <span class="nx">command</span><span class="o">/</span><span class="kd">function</span> <span class="nx">we</span> <span class="nx">want</span> <span class="nx">to</span> <span class="nx">run</span> <span class="p">(</span><span class="k">for</span> <span class="nx">example</span><span class="p">,</span> <span class="nx">grep</span> <span class="nx">fun</span> <span class="nx">file</span><span class="p">.</span><span class="nx">txt</span><span class="p">).</span>
</pre></div>
<p>For example:</p>
<div class="highlight"><pre><span class="nv">$ </span>env <span class="nv">GREP_OPTIONS</span><span class="o">=</span><span class="s1">'-v'</span> | grep fun file.txt <span class="c"># this does not work, we need another shell</span>
bash can be super fun
<span class="nv">$ </span>env <span class="nv">GREP_OPTIONS</span><span class="o">=</span><span class="s1">'-v'</span> bash -c <span class="s1">'grep fun file.txt'</span> <span class="c"># here we go</span>
bash can be dangerous
</pre></div>
<h3>Facing the Shellshock Vulnerability</h3>
<p>What if we pass some function to the variable definition?</p>
<div class="highlight"><pre><span class="nv">$ </span>env <span class="nv">GREP_OPTIONS</span><span class="o">=</span><span class="s1">'() { :;};'</span> bash -c <span class="s1">'grep fun file.txt'</span>
grep: <span class="o">{</span>: No such file or directory
grep: :;<span class="o">}</span>;: No such file or directory
grep: fun: No such file or directory
</pre></div>
<p>Since the things we added are strange when parsed to the command <code>grep</code>, it won't understand them.</p>
<p>What if we add stuff <em>after</em> the function? Things start to get weirder:</p>
<div class="highlight"><pre><span class="nv">$ </span>env <span class="nv">GREP_OPTIONS</span><span class="o">=</span><span class="s1">'-v () { :;}; echo NOOOOOOOOOOOOOOO!'</span> bash -c <span class="s1">'grep fun file.txt'</span>
grep: <span class="o">{</span>: No such file or directory
grep: :;<span class="o">}</span>;: No such file or directory
grep: <span class="nb">echo</span>: No such file or directory
grep: NOOOOOOOOOOOOOOO!: No such file or directory
grep: fun: No such file or directory
file.txt:bash can be super fun
file.txt:bash can be dangerous
</pre></div>
<p>Did you notice the confusion? <em>Both</em> matches and non-matches were printed! It means that some stuff was parsed well! When in doubt, Bash appears to do <em>everything</em>?</p>
<p>Now, what if we just keep the function, taking out the only thing that makes sense, <code>-v</code>?</p>
<div class="highlight"><pre><span class="nv">$ </span>env <span class="nv">GREP_OPTIONS</span><span class="o">=</span><span class="s1">'() { :;}; echo NOOOOOOOOOOOOOOO!'</span> bash -c <span class="s1">'grep fun file.txt'</span>
NOOOOOOOOOOOOOOO!
grep: <span class="o">{</span>: No such file or directory
grep: :: No such file or directory
grep: <span class="o">}</span>: No such file or directory
grep: fun: No such file or directory
</pre></div>
<p>Did you notice that <code>echo NOOOOOOOOOOOOOOO!</code> was executed normally? <strong>This is the (first) Shellshock bug!</strong></p>
<p>This works because when the new shell sees an environment variable beginning with <code>()</code>, it gets the variable name and executes the string following it. This includes executing anything after the function, <em>i.e</em>, the evaluation does not stop when the end of the function definition is reached!</p>
<p>Remember that <code>echo</code> is not the only thing we can do. The possibilities are unlimited! For example, we can issue any <code>/bin</code> command:</p>
<div class="highlight"><pre><span class="nv">$ </span>env <span class="nv">GREP_OPTIONS</span><span class="o">=</span><span class="s1">'() { :;}; /bin/ls'</span> bash -c <span class="s1">'grep fun file.txt'</span>
anaconda certificates file.txt IPython
<span class="o">(</span>...<span class="o">)</span>
</pre></div>
<p>WOW.</p>
<p>Worse, we actually don't need to use a system environment variable nor even call a real command:</p>
<div class="highlight"><pre><span class="nv">$ </span>env <span class="nb">test</span><span class="o">=</span><span class="s1">'() { :;}; echo STILL NOOOOOOOO!!!!'</span> bash -c :
STILL NOOOOOOOO!!!!
</pre></div>
<p>In the example above, <code>env</code> runs a command with an arbitrary variable (test) set to some function (in this case is just a single <code>:</code>, a Bash command defined as doing nothing). The semi-colon signals the end of the function definition. Again, the bug is in the fact that there's nothing stopping the parsing of what is after the semi-colon!</p>
<p>Now it's easy to see if your system is vulnerable, all you need to do is run:</p>
<div class="highlight"><pre><span class="nv">$ </span>env <span class="nv">x</span><span class="o">=</span><span class="s1">'() { :;}; echo The system is vulnerable!'</span> bash -c :
</pre></div>
<p>That simple.</p>
<hr />
<h2>There is more than one!</h2>
<p>The Shellshock vulnerability is an example of an <a href="http://en.wikipedia.org/wiki/Arbitrary_code_execution">arbitrary code execution</a> (ACE) vulnerability, which is executed on running programs. An attacker will use an ACE vulnerability to run a program that gives her a simple way of controlling the targeted machine. This is nicely achieved by running a Shell such as Bash.</p>
<p>It is not surprising that right after a patch for <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271">CVE-2014-6271</a> was released, several new issues were opened:</p>
<ul>
<li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7169">CVE-2014-7169</a>: Right after the first bug was disclosed, a <a href="https://twitter.com/taviso/status/514887394294652929">tweet</a> from <a href="http://taviso.decsystem.org/">Tavis Ormandy</a> showed a <em>further parser error</em> that became the second vulnerability:</li>
</ul>
<div class="highlight"><pre><span class="nv">$ </span>env <span class="nv">X</span><span class="o">=</span><span class="err">'</span><span class="o">()</span> <span class="o">{</span> <span class="o">(</span>a<span class="o">)=</span>><span class="se">\'</span> bash -c <span class="s2">"echo vulnerable"</span>; bash -c <span class="s2">"echo Bug CVE-2014-7169 patched"</span>
vulnerable
</pre></div>
<ul>
<li>
<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7186">CVE-2014-7186</a> and <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7187">CVE-2014-7187</a>: A little after the second bug, two other bugs were found by <a href="http://www.enyo.de/fw/">Florian Weimer</a>. One concerning <em>out of bound memory read error</em> in <a href="http://tools.cisco.com/security/center/viewAlert.x?alertId=35860">redir_stack</a> and the other an <em>off-by-one error in nested loops</em>. You can check these vulnerabilities in your system <a href="https://github.com/hannob/bashcheck">with this script</a>.</p>
</li>
<li>
<p><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6277">CVE 2014-6277</a> and <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278">CVE 2014-6278</a>: A couple of days ago, these new bugs were found by <a href="http://lcamtuf.blogspot.de/2014/09/bash-bug-apply-unofficial-patch-now.html">Michal Zalewski</a>.</p>
</li>
</ul>
<p>What do you think, is Shellshock <a href="http://blog.erratasec.com/2014/09/the-shockingly-bad-code-of-bash.html">just a blip</a>?</p>
<hr />
<h2>Suggestions to Protect Your System</h2>
<p>Several patches have been released since the Shellshock vulnerabilities were found. Although at this point they <a href="https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/">seem to solve most of the problem</a>, below are some recommendations to keep your system safer:</p>
<ul>
<li>Update your system! And keep updating it... Many Linux distributions have released new Bash software versions, so follow the instructions of your distribution. In most of the cases, a simple <code>yum update</code> or <code>apt-get update</code> or similar will do it. If you have several servers, the script below can be helpful:</li>
</ul>
<div class="highlight"><pre><span class="c">#!/bin/bash</span>
<span class="nv">servers</span><span class="o">=(</span>
120.120.120.120
10.10.10.10
22.22.22.22
<span class="o">)</span>
<span class="k">for </span>server in <span class="k">${</span><span class="nv">servers</span><span class="p">[@]</span><span class="k">}</span>
<span class="k">do</span>
ssh <span class="nv">$server</span> <span class="s1">'yum -y update bash'</span>
<span class="k">done</span>
</pre></div>
<ul>
<li>
<p>Update firmware on your router or any other web-enabled devices, as soon as they become available. Remember to only download patches from reputable sites (only HTTPS please!), since scammers will likely try to take advantage of Shellshock reports.</p>
</li>
<li>
<p>Keep an eye on all of your accounts for signs of unusual activity. Consider changing important passwords.</p>
</li>
<li>
<p>HTTP requests to CGI scripts have been identified as the major attack vector. Disable any scripts that call on the shell (however, it does not fully mitigate the vulnerability). To check if your system is vulnerable you can use <a href="http://milankragujevic.com/projects/shellshock/">this online scanner</a>. Consider <a href="https://access.redhat.com/articles/1212303">mod_security</a> if you're not already using it.</p>
</li>
<li>
<p>Because the HTTP requests used by Shellshock exploits are quite unique, monitor logs with keywords such as <code>grep '() {' access_log</code>or <code>cat access_log |grep "{ :;};"</code>. Some common places for http logs are: <code>cPanel: /usr/local/apache/domlogs/</code>, <code>Debian/Apache: /var/log/apache2/</code>, or <code>CentOS: /var/log/httpd/</code>.</p>
</li>
<li>
<p><a href="https://access.redhat.com/articles/1212303">Firewall and network filters</a> can be set to block requests that contain a signature for the attack, <em>i.e</em> <code>“() {“</code>.</p>
</li>
<li>
<p>If case of an attack, publish the attacker's information! You can use <a href="http://www.grymoire.com/Unix/Awk.html">awk</a> and <a href="http://en.wikipedia.org/wiki/Uniq">uniq</a> (where <em>print $1</em> means print the first column) to get her IP, for example:</p>
</li>
</ul>
<div class="highlight"><pre><span class="nv">$ </span>cat log_file |grep <span class="s2">"{ :;};"</span> | awk <span class="s1">'{print $1}'</span>|uniq
</pre></div>
<ul>
<li>
<p>If you are on a managed hosting subscription, check your company's status. For example: <a href="https://docs.acquia.com/articles/september-2014-gnu-bash-upstream-security-vulnerability">Acquia</a>, <a href="https://status.heroku.com/incidents/665">Heroku</a>, <a href="http://status.mediatemple.net/">Mediatemple</a>, and <a href="https://status.rackspace.com/">Rackspace</a>.</p>
</li>
<li>
<p>Update your Docker containers and AWS instances.</p>
</li>
<li>
<p>If you are running production systems that don't need exported functions at all, take a look at <a href="https://github.com/dlitz/bash-shellshock">this wrapper</a> that refuses to run bash if any environment variable's value starts with a left-parent.</p>
</li>
</ul>
<hr />
<h2>Further References</h2>
<h4>Reviews</h4>
<p><a href="http://stephane.chazelas.free.fr">http://stephane.chazelas.free.fr/</a></p>
<p><a href="https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack">https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack</a></p>
<p><a href="http://lcamtuf.blogspot.co.uk/2014/09/quick-notes-about-bash-bug-its-impact.html">http://lcamtuf.blogspot.co.uk/2014/09/quick-notes-about-bash-bug-its-impact.html</a></p>
<p><a href="http://www.openwall.com/lists/oss-security/2014/09/24/11">http://www.openwall.com/lists/oss-security/2014/09/24/11</a></p>
<p><a href="http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCNbefmSx8G">http://blog.erratasec.com/2014/09/bash-bug-as-big-as-heartbleed.html#.VCNbefmSx8G</a></p>
<p><a href="http://seclists.org/oss-sec/2014/q3/649">http://seclists.org/oss-sec/2014/q3/649</a></p>
<p><a href="http://www.circl.lu/pub/tr-27/#recommendations">http://www.circl.lu/pub/tr-27/#recommendations</a></p>
<p><a href="http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html">http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html</a></p>
<p><a href="http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html">http://lcamtuf.blogspot.com/2014/09/quick-notes-about-bash-bug-its-impact.html</a></p>
<h4>Bugs Description</h4>
<p><a href="http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025">http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-025</a></p>
<p><a href="http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026">http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-026</a></p>
<p><a href="http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027">http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027</a></p>
<p><a href="http://blog.cloudflare.com/inside-shellshock/">http://blog.cloudflare.com/inside-shellshock/</a></p>
<h4>Proof-of-Concept Attacks</h4>
<p><a href="http://research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html">http://research.zscaler.com/2014/09/shellshock-attacks-spotted-in-wild.html</a></p>
<p><a href="http://www.clevcode.org/cve-2014-6271-shellshock/">http://www.clevcode.org/cve-2014-6271-shellshock/</a></p>
<p><a href="https://www.invisiblethreat.ca/2014/09/cve-2014-6271/">https://www.invisiblethreat.ca/2014/09/cve-2014-6271/</a></p>
<p><a href="http://marc.info/?l=qmail&m=141183309314366&w=2">http://marc.info/?l=qmail&m=141183309314366&w=2</a></p>
<p><a href="https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html">https://www.dfranke.us/posts/2014-09-27-shell-shock-exploitation-vectors.html</a></p>
<p><a href="https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/">https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/</a></p>
<p><a href="https://www.invisiblethreat.ca/2014/09/cve-2014-6271/">https://www.invisiblethreat.ca/2014/09/cve-2014-6271/</a></p>
<p><a href="http://pastebin.com/VyMs3rRd">http://pastebin.com/VyMs3rRd</a></p>
<p><a href="http://infosecnirvana.com/shellshock-hello-honeypot/">http://infosecnirvana.com/shellshock-hello-honeypot/</a></p>
<p><a href="https://isc.sans.edu/forums/diary/Shellshock+A+Collection+of+Exploits+seen+in+the+wild/18725">https://isc.sans.edu/forums/diary/Shellshock+A+Collection+of+Exploits+seen+in+the+wild/18725</a></p>
<hr />
</div><!-- /.entry-content -->
<div class="comments">
<h2>Comments !</h2>
<div id="disqus_thread"></div>
<script type="text/javascript">
var disqus_identifier = "understanding-the-shellshock-vulnerability.html";
(function() {
var dsq = document.createElement('script');
dsq.type = 'text/javascript'; dsq.async = true;
dsq.src = 'http://bt3gl.disqus.com/embed.js';
(document.getElementsByTagName('head')[0] ||
document.getElementsByTagName('body')[0]).appendChild(dsq);
})();
</script>
</div>
</article>
</section>
</div><!--/span-->
</div><!--/row-->
<footer>
<address id="about">
</address><!-- /#about -->
</footer>
</div><!--/.fluid-container-->
<script src="./theme/js/jquery-1.7.2.min.js"></script>
<script src="./theme/js/bootstrap.min.js"></script>
</body>
</html>