October 3, 2014

Bash Bug aka 'ShellShock' & the 'AfterShock'

Shell Shock from Marvel

There is a critical vulnerability in the in the GNU Bourne Again Shell other wise known as Bash. The news was released on September 23, 2014, and has continued to evolve as the days go by in regards to severity of the ShellShock bug.

So ... What is ShellShock

Other than a cool looking cartoon character from the Marvel comic book series (see picture at right), ShellShock is a fundamental flaw in the Bourne Again Shell or Bash for short, which is used in many Linux, UNIX, and MacOS operating systems. The vulnerability allows attackers to execute specially crafted commands remotely through environmental variables when Bash is invoked. An environmental variables are a set of dynamic named values that can affect the way running processes will behave on a computer.

RedHat.com describes the bug as follows:
A flaw was found in the way Bash evaluated certain specially crafted environment variables. An attacker could use this flaw to override or bypass environment restrictions to execute shell commands. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue. (CVE-2014-6271) 
A variety of tools, including FTP, SSH, DHCP, SIP VoIP proxies and TelNet can be taken advantage of by this vulnerability, and there many proofs of concept that can be used to verify these issues. Some Apache Web servers are vulnerable if they use mod_cgi and mod_cgid to perform certain actions. If your Apache server does not need to utilize these functions then, they should be deactivated within the respective configuration files.

The following is a link to a video explanation of how ShellShock works. It may help you to better understand what is actually happening, on a very high level, when the vulnerability is exploited. SANS ShellShock Explanation: https://www.youtube.com/watch?v=W7GaVyzkCs0

Update October 03, 2014: The ShellShock Bash shell vulnerability is being used to target Network Attached Storage (NAS) devices, QNAP storage solutions in particular. Of course, the recommended thing to do is update and patch the system if it is vulnerable, but I say patch the system anyway because the update may fix something that has yet to be disclosed.
The attack attempts to instruct the target NAS to download a script that affects the device's startup environment to allow for future malicious updates, loads the malicious SSH key to allow for future password bypass, and then further cements itself with an ELF executable that gives the attacker shell access to the device and can be invoked in three different ways.
Source: www.darkreading.com


If you have not patched your system yet, run the following line of code in a Terminal to test your system for the vulnerability:

env x='() { :;}; echo vulnerable' sh -c "echo this is a test"

If the echo request, "this is a test", is returned, it means that your system is vulnerable to the exploit and should be patched to the latest version of the Bash shell immediately! 

If you have patched your system or your systems is unaffected by ShellShock then, you will see the following output from your terminal after entering the command above.

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

If you have implemented a patch, try the following two tests: 

env -i x='() { (a)=>\' bash -c 'echo date'; cat echo
env -i X=' () { }; echo hello' bash -c 'date'

If the output from either of them yields the days date, i.e. Wed Oct  1 09:12:20 EDT 2014 or something similar, then your system is still vulnerable to very specifically crafted exploits.


The short answer is patch patch patch ... and make sure that the patch you have installed is the most current version. 

Longish version, RedHat, as well as many others, have released patches to address ShellShock. However, even after the updates, security researchers are finding more ways to exploit the vulnerability in Bash that the early updates have not yet addressed. Go figure right. With something this prominent, there will be more than just one or two way to taking advantage and this will most likely be around for quite sometime. So ... good job for coming out with a fix so quickly, but be ready to install more bash security related updates in the days to come. It will take some time to find everywhere that a vulnerable system exists, but stay vigilant.   

Below, is a list of links and commands for updating bash on various operating systems: 


No comments:

Post a Comment

Twitter: @Th3MattWilson