“Shellshock” bash code injection vulnerability

CVE-2014-6271 & CVE-2014-7169 Johannes B. Ullrich, Ph.D.

jullrich@sans.edu

Outline

•  How important is this vulnerability? •  What is the nature of the problem? •  Why are there two CVE Numbers? •  How do I check if I am vulnerable? •  What can I do to protect myself?

The Vulnerability

•  The “bash” shell commonly used in Unix systems allows code execution via environment variables

•  Attacker has to be able to trick the user into opening bash after setting specifically crafted variables

Attack Vectors

•  CGI: Web servers using cgi-bin mechanism to execute bash scripts. HTTP headers sent by the attacker are converted to environment variables

•  SSH: Can be used to escape restricted ssh shells

•  DHCP: Code may be executed by DHCP Clients

What can an attacker accomplish?

•  The attacker will be able to execute any shell command

•  Only limited by user permissions (e.g. apache web server)

•  Exploit is easy to perform. Various PoC exploits are available

How important is this?

•  Patch quickly •  Worry if you have web servers that run

bash from cgi-bin! •  Not an issue for Windows systems •  Not an issue for clients. It is a server

problem •  This problem has been around “forever”

How could this happen?

•  Bash, like all shells, have environment variables

•  However, in bash, these variables may contain code

•  Bash does not correctly separate code from data

•  As a result, the attacker can inject additional code

Why are there two CVE Numbers

•  The originally reported (and fixed) problem only covered one way to inject code (Stephane Schazelas CVE-2014-6271 )

•  Earlier today, a second method was found (Travis Ormandy CVE-2014-7169)

•  There is currently no patch for the second attack vector.

Google Searches

How do I check if I am vulnerable?

•  Two test strings that can be run safely while logged in on a system:

env x='() { :;}; echo vulnerable' sh -c "echo this is a test”!env -i X='() { (a)=>\' bash -c 'echo date'; cat echo!

•  Various  Metasploit  Modules:  https://github.com/rapid7/metasploit-framework/pull/3880!!!

How do I protect myself?

•  Apply the patch current patch is incomplete

•  Change shells from bash to alternatives (ksh, sh…) will likely break things

•  Apply WAF/IPS rules current public rules are lacking

Summary

•  The biggest exposure are bash cgi-bin scripts

•  Start with the Google check to find low hanging fruit

•  Apply the patch quickly, watch for updated patch

•  Inventory!

Thanks!

Please send any information to https://isc.sans.edu/contact.html

or email: handlers@sans.edu