First Shellshock Botnet Attacking Akamai, US DoD Networks

Bismillah writes The Bash "Shellshock" bug is being used to spread malware to create a botnet, that's active and attacking Akamai and Department of Defense networks. "The 'wopbot' botnet is active and scanning the internet for vulnerable systems, including at the United States Department of Defence, chief executive of Italian security consultancy Tiger Security, Emanuele Gentili, told iTnews. 'We have found a botnet that runs on Linux servers, named “wopbot", that uses the Bash Shellshock bug to auto-infect other servers,' Gentili said."

Confused.

[msauve]

Italian security consultancy Tiger Security, Emanuele Gentili, told iTnews. 'We have found a botnet that runs on Linux servers, named "wopbot"

Italian? wopbot?

I'm at a loss for words - other than that seems offensive, even for non-politically-correct me.

Re:Confused.

[wallsg]

Italian? wopbot?

I'm at a loss for words - other than that seems offensive, even for non-politically-correct me.

That's only for the PC crowd. This is Linux.

its on !

[johnjones]

no venerability should be without a logo :

  https://twitter.com/johnjonesname

quality reporting! 16.7 addresses!

priceless excerpt: |The US DoD network in question is the 215.0.0.0/8 range, with approximately 16.7 addresses."

Re:quality reporting! 16.7 addresses!

[Zaiff+Urgulbunger]

priceless excerpt: |The US DoD network in question is the 215.0.0.0/8 range, with approximately 16.7 addresses."

They're still using IPv2.1 - and it's maxed out!

Suspicious screenshot

[dskoll]

The screenshot in that article shows the shell prompt as "root@debian". But in reality, most Debian systems use "/bin/dash" as the default system shell instead of /bin/bash, which means most Debian systems are extremely hard to compromise; a CGI or system() call would have to go out of its way to invoke bash instead of dash.

Re:Suspicious screenshot

[AlterEager]

Didn't I just say that? You'd have to explicitly invoke #!/bin/bash. I know of very few scripts that do that; most use #!/bin/sh.

Well, on my Debian unstable machine:

# find / -mount -type f | while read x ; do if [ "`head -1 $x | grep '^#\!/bin/bash'`" ]; then echo $x; fi; done 2>/dev/null
/bin/zdiff
/bin/fgrep
/bin/zgrep
/bin/zless
/bin/zfgrep
/bin/uncompress
/bin/zcmp
/bin/gzexe
/bin/gunzip
/bin/zegrep
/bin/zforce
/bin/zmore
/bin/zcat
/bin/egrep
/bin/znew
/etc/bash_completion.d/pulseaudio-bash-completion.sh
/etc/auto.net
/etc/auto.smb
/etc/init.d/minissdpd
/etc/init.d/nfs-common
/var/lib/dpkg/info/bash-completion.postinst
/var/lib/dpkg/info/grub-pc.preinst
/var/lib/dpkg/info/grub-pc.postrm
/var/lib/dpkg/info/ca-certificates-java.postinst
/var/lib/dpkg/info/gdm3.prerm
/var/lib/dpkg/info/desktop-base.postinst
/var/lib/dpkg/info/grub-pc.postinst
/var/lib/dpkg/info/bash-completion.postrm
/var/lib/dpkg/info/grub-pc.prerm
/var/lib/dpkg/info/dash.preinst

Ugly.

Re:Question about how this works

[dskoll]

Apache passes user-supplied content to CGI scripts as environment variables, so any CGI written in bash or that invokes bash (via system(), for example, on an OS that uses bash as /bin/sh) could be used as an exploit vector.

Re:Question about how this works

[CaptainDork]

I don't know bullshit from wild honey about Linux, but the attack on the DoD is looking for Telnet.

Analysing the malware sample in a sandbox, we saw that the malware has conducted a massive scan on the United States Department of Defence Internet Protocol address range on port 23 TCP or Telnet for brute force attack purposes," ...

Re:Question about how this works

[brantondaveperson]

Rubbish. It certainly does not. It depends on inputs getting into environment variables which wind up eventually inside of bash. Which then goes "oh, look. code! I think I'll run that", and runs it.

Thanks bash.

Thash.

Re:Question about how this works

[_xeno_]

I'm confused about how you can scan for vulnerable systems.

You and everyone else.

The attack surface is "anywhere you can influence the values of environment variables prior to bash being run." Where exactly is that? Well...

The easiest example of that are CGI scripts, where the web server will set environment variables to values that are taken directly from HTTP headers. If the CGI script is a bash script (why would you do that?) or ever happens to fork out to a bash script in any way (that's more understandable), it's vulnerable.

But that's just one example. Any place a remote value gets stuck straight into an environment variable and a bash script gets run is vulnerable. And people are almost certainly going to slowly find more and more places where that's the case.

If you just want to know if you're vulnerable, there are one-liners that will determine if you're still vulnerable, but since the first fix didn't, chances are, you very well could be.

Only the beginning

[Solozerk]

It's not the only botnet being constructed, see my comment here - already 653 exploited servers there right now.
This is quite bad - as long as a bash CGI script is found by probing, exploiting only require putting a bash command in a header such as "Cookie:" for it to be executed. And this is only through HTTP - there are also aready other proof of concepts exploiting this through other bash-using services (DHCP servers for example).
You can check if you've been scanned for exploitable CGIs using something like (adjust apache logs path accordingly):

grep cgi /var/log/apache2/access*|egrep "};|}\s*;"

And you can check if your bash is vulnerable using:

env x='() { :;}; echo vulnerable' bash -c 'echo Testing...'

If 'vulnerable' appears, it is.

Re:Only the beginning

[Solozerk]

Would there be any way for that probe to execute against a static 404 page - no cgi executing?

No - there actually need to be a bash CGI script for it to work; as long as you have only 404 codes you are fine.

Re: Only the beginning

[peppepz]

FreeBSD is vulnerable to this attack as much as Linux, or Windows. It's a bug in an application, not in the OS.

Re:Only the beginning

[VValdo]

only on 14.04... 1.3 is coming, I'm told..

Re:Only the beginning

[geckoFeet]

Yay! I have been scanned - but my little webserver doesn't run any cgi scripts, so they got 404'd. They were looking specifically for defaultwebpage.cgi:

root@stinky:/home/gecko# grep cgi /var/log/apache2/access*|egrep "};|}\s*;" /var/log/apache2/access.log:89.207.135.125 - - [25/Sep/2014:02:28:52 -0400] "GET /cgi-sys/defaultwebpage.cgi HTTP/1.0" 404 319 "-" "() { :;}; /bin/ping -c 1 198.101.206.138"

Re: Only the beginning

[philip.paradis]

No, you're incorrect, and you're making yourself look worse now. Put down the shovel. Let's review, starting with your original post:

FreeBSD is vulnerable to this attack as much as Linux, or Windows. It's a bug in an application, not in the OS.

An "OS" (operating system) is more than a bare kernel, at least for the systems being discussed in this scope, and this is certainly the case for the overwhelming majority of general purpose computers on our planet. "Linux" in this context refers to operating system distributions which include a Linux kernel and various assortments of userland software, much as FreeBSD/Mac OS X/Windows/etc consists of a kernel and other software. Operating systems do indeed have a concept of a default shell, and this may be expressed as simply as a filesystem link from /bin/sh to whatever program is designated as the default, or it may be a default in another sense such as the default shell assigned to a user account upon its creation if no particular login shell is specified.

The default installed set of software (the "applications") will vary between distributions, and if a vulnerable application (Bash in this case) is not installed, the server running said operating system environment cannot be exploited via any vulnerabilities which may exist in that application. If an administrator chooses to install a particular bit of software, the system then may become exposed to security vulnerabilities in said software, but the important distinction being made here is that computers are not vulnerable to bugs for software which isn't installed. Most popular distributions Linux systems install Bash by default, and it is frequently the default shell.

This is really very simple. Are you still having trouble with comprehension? I suspect you may be attempting to act in a pedantic manner here, but you're doing a poor job of it if that's the case.

Re: Only the beginning

[peppepz]

Debian doesn't. Ubuntu doesn't. Anything embedded doesn't. OSX does. There's nothing to "laugh at Linux" for, because even leaving aside the fact, as huge as a house, that this is not a bug of Linux, we must take into account that Bash isn't used on all Linux distributions, is used on many non-Linux unices, and can be installed on non-Unix systems where it'll see environment variables too. I also register with amusement the fact that OSX gets pulled by the coat into the BSD family when it's time to calculate market share, but is carefully set aside now that the distinction is convenient.

Re: Only the beginning

[peppepz]

ls -l /bin/sh , that's what your scripts are going to use. It should be dash.

Re: Only the beginning

[philip.paradis]

You fail to appreciate the difference between Linux and Bash

Wrong. The difference is clear, but it's also clear you lack any semblance of understanding that terms have implications depending on context. Please tell us all how many Linux-based systems you operate that run only a bare kernel.

You fail to appreciate the fact that no, the most popular Linux distributions don't ship with Bash as the default shell.

Wrong. While Debian and Ubuntu (along with various other Debian derivatives) ship with dash as the default interactive shell, here's a nice (non-exhaustive) list of highly popular distributions which use Bash as the default:

• Red Hat
• Fedora
• openSUSE
• Mageia
• Arch
• Slackware

and the Karma Bonus

Who cares about that?

doing the condescendent and attacking me personally

Wrong. It's not personal, really. I don't care who you are, but I do care that you made an overt attempt at muddying the waters by acting in an overly pedantic fashion, when said pedantry was clearly in error given the context of the discussion. You can always phone RMS up if want to have a nice "omg yes Linux is not GNU and GNU is not Linux" conversation. That particular point has no value in this context, as the discussion here is on complete operating systems, not bare kernels.

then you had better get your facts right

My facts are in order. Are you tired of digging yet? You can always put down the shovel.

Re: Only the beginning

[philip.paradis]

Please explain how scripts which specify #!/bin/bash on the shebang line are going to use something else. An awful lot of scripts have that as their first line.

Re: Only the beginning

[philip.paradis]

Shellshock isn't really about elevating user account privileges (although that's certainly a common goal once unprivileged shell access is obtained). It's about gaining the ability to execute arbitrary commands as the user a Bash shell is running as. This is particularly bad for systems where the default system shell is /bin/bash, but it's also very bad for systems where users may be running network daemons under a normal user account. This is more common than you might think; developers frequently run things like node.js, various Ruby servers, etc in this manner. In the worst case event that /bin/bash is the default system shell, accounts such as "www-data" or "nobody" will likely use this shell for CGI request handoffs, meaning any input passed through CGI represents an opportunity to send a special payload down the pipe for execution in the context of that user account.

Re: Only the beginning

[philip.paradis]

In the meantime I've told you how many Linux-based systems don't use bash as their default shell. The reality being opposite to your arbitrary statement that "the vast majority" of them do.

In terms of the ratio of Linux distributions which use Bash as the default shell versus those that do not, the vast majority still use Bash. As I mentioned earlier, Debian-based distributions use dash as the default system shell, but Bash remains the default interactive shell, and many scripts specify #!/bin/bash in their shebang line.

That last bit is important, because we're living in times where an increasing number of developers are releasing code for network daemons which are designed to be easily run under unprivileged user accounts by those same users. Regardless of how secure the daemons themselves may be, the simple fact that they're executed with Bash as their parent process means they're vectors for system compromise from bugs like Shellshock. Should developers take additional measures to spawn their processes under a different shell? Perhaps, but only if problems like Shellshock are known, and should a similar bug be discovered in the true Bourne shell (or whatever else), we'd still be in the same position.

You should. Its purpose is to override other people's posts when you have something important to say.

The karma bonus posting option is enabled by default for a reason. When people who have an established track record of saying meaningful things (as determined by the up-modded metric) post comments, those comments are automatically ranked higher. Likewise, the moderation system provides for down-modding of any given comment, which has the side effect of karma reduction for the "offending" poster. The fact that you don't like what someone has to say is really of little consequence unless you have mod points; this is by design.

Did he laugh about Debian/kFreeBSD? Did he laugh about OSX? Did he laugh about Cygwin or SUA? No, but he laughed about a minority subset of Linux distributions, and called them "Linux", having an uninformed reader believe that the bug is in Linux (it isn't) or that all Linux distributions are affected (many aren't). He was so aware of this fact, that he posted anonymously.

Let's get a few things straight in terms of my perspective on this whole ordeal. Most of my infrastructure runs on Debian, and the remainder runs on FreeBSD, OpenBSD, and Solaris. I understand your sentiment in feeling offended at this situation being labelled a "Linux problem," and I think the original poster is a positive dickhead for what he wrote. That said, I recognize that the reality of the situation is that around the globe, most of the systems affected by this bug will be Linux-based servers. There's no escaping this fact, as unfortunate as it may be. Given these circumstances, it is very much a "Linux problem," regardless of the fact that the kernel isn't to blame.

For a little perspective, I do infosec for a living (spending a fair amount of my time developing exploits from scratch, in fact), and I'm a senior guy who is intimately involved with promulgating guidance for rapidly patching a ridiculous number of servers against this sort of problem across several datacenters spanning multiple continents. It sucks, but software isn't perfect. We do what we have to do in situations like this and keep moving.

Re: Only the beginning

[peppepz]

Now you just have to find some server package which allows an unnprivileged remote client to trigger the execution of a Zimbra init script.

The funny thing is that, should you find it, such package would be vulnerable on FreeBSD in the exactly same way as it were on Linux, nullifying the argument that you are trying to make, about the Bash bug being a "Linux bug" that FreeBSD users shouldn't worry about.

Re:Question about how this works

[_xeno_]

Well, Apache and literally every other CGI container since that's how CGI works: the HTTP environment (headers and various other stuff) is passed to the script being executed via specifically named environment variables.

Re:patched my servers last month

[tjb6]

Well...
As a software engineer they expect me to be a sysadmin.

Seriously!
Shell scripts have been known to be basically insecure for a long time. Why would you expose one to a web or network interface?

Of course, that just leaves ssh, but at least some authentication SHOULD be required there.

Re:Question about how this works

[_xeno_]

How does one automate such a scan?

Right now, I think they're just blindly hitting web servers with headers set to exploit the vulnerability and hoping they get lucky. So less of a "scan" and more of a "spray and pray" type deal.

I think some versions of Apache shipped with a cgi-bin that contained a shell script as an example, so that would be another thing to try hitting first.

Bash needs to remove env-based procedure passing

[m.dillon]

It's that simple. Even with the patches, bash is still running the contents of environment variables through its general command parser in order to parse the procedure. That's ridiculously dangerous... the command parser was never designed to be secure in that fashion. The parsing of env variables through the command parser to pass sh procedures OR FOR ANY OTHER REASON should be removed from bash outright. Period. End of story. Light a fire under the authors someone. It was stupid to use env variables for exec-crossing parameters in the first place. No other shell does it that I know of.

This is a major attack vector against linux. BSD systems tend to use bash only as an add-on, but even BSD systems could wind up being vulnerable due to third party internet-facing utilities / packages which hard-code the use of bash.

-Matt

Re:patched my servers last month

[mhatle]

Fix for CVE-2014-7169 was posted only a small bit ago:

http://www.openwall.com/lists/oss-security/2014/09/26/1

Amazing...

... how the indignation at a major vulnerability like this (2nd in a few months) is so muted when the OS in question doesn't come from Microsoft.

Re:Amazing...

It's muted because despite this being a major security flaw that's been around since almost the dawn of the internet, it was patched and fixed in less than 24 hours once found.

The indignation is deservedly loud and strong when the a major security flaw is found and it sits on the world's computers to be exploited until the patch Tuesday, several months from now, and only after shaming vendors to acknowledge it.

There's nothing amazing about it.

Re:Amazing...

[DrugCheese]

Bash is an OS? You can uninstall bash and have everything run just as smooth with a replacement shell. Unlike a certain OS where you can't even remove a web browser and expect it to boot up ...

Re:Amazing...

[ray-auch]

1. the first fixes, within 24 hours of announcement, didn't actually fix it fully - in fact I suspect it will still be exploitable in some way or other until the "feature" of treating environment variables as code is removed completely
2. providing an incomplete fix may be worse than taking a bit longer to properly QA the fix - a lot of admins may believe they have patched this based on the first announced vulnerability tests and the first set of patches, but in fact they are still vulnerable with a trivial change in the malicious bash code
3. it was less than 24 hours after first being made public - this may be entirely unrelated to when it was first found

We have no idea who found it first or for how long it may have been used covertly (did NSA etc. know of heartbleed before public knowledge ?)
We don't know what prompted someone to be looking for problems in code that hasn't changed for 20+ yrs.
It is so trivial to get remote code run with this bug (no unexpected new process or login or errors) that I doubt it will trip any intrusion detection systems.
If you can use an http header that isn't logged, then you could run code on the server and extract information and it may be completely undetectable.

Something else we don't know is how the FBI really got the Silk Road server to cough its real IP address. The FBI claim they put "miscellaneous characters" into the login form and it just happened to send the address back. You can believe that if you want. It may or may not be related (I have no idea about the silk road server setup), but a handful of days after the FBI put their story out someone is looking for security holes / bugs in very old bash code. Maybe there was no trigger and they just happened to get bored one day and decide that looking for bugs in bash would be fun. Or maybe there is more behind this than we know.

Re:Question about how this works

[grcumb]

inputs getting into environment variables which wind up eventually inside of bash.

So we agree. Good-o.

No, you twit. Bash will read the environment variables sent to it by CGI, which populates the environment parameters before you can sanitise the inputs. By the time you're ready to begin parsing and sanitising, the damage is already (potentially) done.

The implications of this are far-reaching, and the only way to be reasonably secure is to patch the bash executable.

Re:patched my servers last month

[dbIII]

Of course, as a sysadmin I should also be a software engineer.

At least one of them in charge of each group of systems should be that or an equivalent. Being good at Skyrim is not enough to effectively run systems over time.

Use the bug to patch the bug

[itamblyn]

If shellshock lets remote users execute arbitrary shell commands, should we just run a scan of the whole internet (https://github.com/robertdavidgraham/masscan), and issue apt-get update & apt-get upgrade? Use the bug to patch the bug?

Re:patched my servers last month

[GigaplexNZ]

Well...
As a software engineer they expect me to be a sysadmin.

I know that feeling all too well...

Too much scripting in Linux

[jones_supa]

Just the other day I commented in a SystemD discussion how scripts break easily and are slow to execute. One of the replies I got was "Scripts don't break themselves. They do exactly what you tell them to do." Heh, indeed they do. Didn't we just hear about one Shellshock-related attack where a malicious DHCP server can command a dhclient script do nasty things. Scripting is a problem and binary modules would provide more robust interfaces. It is a thing worth giving a thought.

Re:Question about how this works

We knew 15 years ago, that using shell-scripts as CGI-scripts was a security problem.There's just so many ways for a not perfectly quoted variable to become a script injection.

And for those who system() - if you are doing that without validating user input - and those header environment variables ARE user input - you just failed security 101.

So, can anyone explain to me how to use this bug, without using an existing vulnerability to get to it?

I see two groups of people, one group exclaiming that this is a serious vulnerability, without being able to explain how it's a vulnerability, and the other (including myself) saying that it's not a vulnerability, because you need to already have a vulnerability to get to it.

Re:patched my servers last month

[amias]

its not just shell cgi scripts , other services pass data they receive through environment variables , these include dhcp clients and any other non authenticated services.

a simple fix is to use a different shell for now.

Re:Question about how this works

[pantaril]

but if you don't do something stupid like eval your those environment variables it doesn't turn into such a mess.

Your CGI script doesn't need to do anything at all. The rogue code injected into the env. variables is parsed and executed by bash when it sets-up the environment for your script.

Re:Question about how this works

[pantaril]

I'm still waiting for an example of how to get to this so-called vulnerability, without using a different security hole to get to it. Either some moron letting the web server call bash directly, or someone not sanitizing his inputs.

I disagree that using shell CGI scripts should be considered security hole any more than using CGI scripts written in any other language, but if you want other examples of exploiting this bug you can do it via malicious DHCP responses processed by dhcpclient or by env. variables passed when loging in via SSH.

bash accessible from outside?

[ThePhilips]

If the systems really had the /bin/bash exposed, then they were insecure from the day one. It is just that nobody had realized that before.

Otherwise I wonder whether the Debian's /bin/sh being the dash somehow mitigated the problem for the Debian system?

Re:Heartbleed comparison might be a bit overblown

[ray-auch]

I think the bigger than heartbleed comments might be a bit overblown. If you're running CGI and your web server is running as root, you probably have a serious problem. Otherwise, it's just a PITA when you have other things to work on. Can anyone tell me why the script kiddies are scanning 23? I haven't seen an open telnet port in years. From all the reports I've read, about the only things vulnerable are web servers running CGI which was pretty vulnerable before.

ssh is also vulnerable (often configured to pass TERM and maybe LC_*)
Git repos using locked-down ssh - vulnerable
dhclient - vulnerable
CUPS - vulnerable

Those are just the ones we know so far.

It is different to heartbleed, and it could indeed get bigger. Heartbleed required zero effort to get the data but then needed some luck and some work to find keys or login info within it. Manual work required before you could break into a system.

ShellShocked on the other hand is direct, trivial, remote code execution. Attacks can easily be fully automated - it is wormable, trivially. The question now is not whether or not fully automated worm attacks will happen or when - they already are - it is how many servers they will get.

And that is all before we start looking at all the embedded Linux out there that may have bash, and often have cgi. It may take longer to find exploit vectors for those, but it will also take longer to patch, and some may not be patchable. Add in to the mix that small business / home routers often also run dhcp servers, and that dhclient is vulnerable, and a router compromise can open up any unpatched client machines inside the firewall.

No one knows how big this _will_ get, but it _could_ be bigger then HeartBleed, easily.

Re:Question about how this works

[coofercat]

There are other vectors - in fact, any place that the website code (be it C, PHP, Java, Perl, whatever) runs another program *via* the shell. It depends on the language as to how this can happen. In perl, if you don't specify the full path to the thing you're calling, and you don't use a list for each argument then it'll go via the shell as a helper to make it do what you want. Obviously, anywhere you've called something as "sh -c /some/path/thing", then you're also going via the shell.

Simply calling something via the shell (or calling a shell script) isn't enough - you also need to pass some environment variables populated with user input. This seems incredibly unlikely except in CGIs. In most cases, you'd probably pass some command line arguments (maybe from user input), and you might statically set an environment variable or two (perhaps for a password or something). Those aren't a problem - it's only user input.

For anyone running CGI, you're most likely at risk. For anyone not doing so, you're probably not at risk, but code review will tell you for sure. This is no heartbleed (as the media seem to be making out), but it's pretty serious for anyone vulnerable.

As for how to scan for it - well, good luck there, it could be anywhere, and it could be nowhere. You'd literally have to scan every single URL on a site to find a problem - and even then you might still miss it.