bash code-injection briefing
DESCRIPTION
Bash Code-Injection BriefingTRANSCRIPT
“Shellshock” bash code injection vulnerability
CVE-2014-6271 & CVE-2014-7169 Johannes B. Ullrich, Ph.D.
Outline
• How important is this vulnerability? • What is the nature of the problem? • Why are there two CVE Numbers? • How do I check if I am vulnerable? • What can I do to protect myself?
The Vulnerability
• The “bash” shell commonly used in Unix systems allows code execution via environment variables
• Attacker has to be able to trick the user into opening bash after setting specifically crafted variables
Attack Vectors
• CGI: Web servers using cgi-bin mechanism to execute bash scripts. HTTP headers sent by the attacker are converted to environment variables
• SSH: Can be used to escape restricted ssh shells
• DHCP: Code may be executed by DHCP Clients
What can an attacker accomplish?
• The attacker will be able to execute any shell command
• Only limited by user permissions (e.g. apache web server)
• Exploit is easy to perform. Various PoC exploits are available
How important is this?
• Patch quickly • Worry if you have web servers that run
bash from cgi-bin! • Not an issue for Windows systems • Not an issue for clients. It is a server
problem • This problem has been around “forever”
How could this happen?
• Bash, like all shells, have environment variables
• However, in bash, these variables may contain code
• Bash does not correctly separate code from data
• As a result, the attacker can inject additional code
Why are there two CVE Numbers
• The originally reported (and fixed) problem only covered one way to inject code (Stephane Schazelas CVE-2014-6271 )
• Earlier today, a second method was found (Travis Ormandy CVE-2014-7169)
• There is currently no patch for the second attack vector.
Google Searches
How do I check if I am vulnerable?
• Two test strings that can be run safely while logged in on a system:
env x='() { :;}; echo vulnerable' sh -c "echo this is a test”!env -i X='() { (a)=>\' bash -c 'echo date'; cat echo!
• Various Metasploit Modules: https://github.com/rapid7/metasploit-framework/pull/3880!!!
How do I protect myself?
• Apply the patch current patch is incomplete
• Change shells from bash to alternatives (ksh, sh…) will likely break things
• Apply WAF/IPS rules current public rules are lacking
Summary
• The biggest exposure are bash cgi-bin scripts
• Start with the Google check to find low hanging fruit
• Apply the patch quickly, watch for updated patch
• Inventory!
Thanks!
Please send any information to https://isc.sans.edu/contact.html
or email: [email protected]