Slashdot Mirror
First Shellshock Botnet Attacking Akamai, US DoD Networks
Bismillah writes The Bash "Shellshock" bug is being used to spread malware to create a botnet, that's active and attacking Akamai and Department of Defense networks. "The 'wopbot' botnet is active and scanning the internet for vulnerable systems, including at the United States Department of Defence, chief executive of Italian security consultancy Tiger Security, Emanuele Gentili, told iTnews. 'We have found a botnet that runs on Linux servers, named “wopbot", that uses the Bash Shellshock bug to auto-infect other servers,' Gentili said."
Italian? wopbot?
I'm at a loss for words - other than that seems offensive, even for non-politically-correct me.
"National Security is the chief cause of national insecurity." - Celine's First Law
no venerability should be without a logo :
https://twitter.com/johnjonesname
priceless excerpt: |The US DoD network in question is the 215.0.0.0/8 range, with approximately 16.7 addresses."
The screenshot in that article shows the shell prompt as "root@debian". But in reality, most Debian systems use "/bin/dash" as the default system shell instead of /bin/bash, which means most Debian systems are extremely hard to compromise; a CGI or system() call would have to go out of its way to invoke bash instead of dash.
Apache passes user-supplied content to CGI scripts as environment variables, so any CGI written in bash or that invokes bash (via system(), for example, on an OS that uses bash as /bin/sh) could be used as an exploit vector.
Rubbish. It certainly does not. It depends on inputs getting into environment variables which wind up eventually inside of bash. Which then goes "oh, look. code! I think I'll run that", and runs it.
Thanks bash.
Thash.
I'm confused about how you can scan for vulnerable systems.
You and everyone else.
The attack surface is "anywhere you can influence the values of environment variables prior to bash being run." Where exactly is that? Well...
The easiest example of that are CGI scripts, where the web server will set environment variables to values that are taken directly from HTTP headers. If the CGI script is a bash script (why would you do that?) or ever happens to fork out to a bash script in any way (that's more understandable), it's vulnerable.
But that's just one example. Any place a remote value gets stuck straight into an environment variable and a bash script gets run is vulnerable. And people are almost certainly going to slowly find more and more places where that's the case.
If you just want to know if you're vulnerable, there are one-liners that will determine if you're still vulnerable, but since the first fix didn't, chances are, you very well could be.
You are in a maze of twisty little relative jumps, all alike.
It's not the only botnet being constructed, see my comment here - already 653 exploited servers there right now.
/var/log/apache2/access*|egrep "};|}\s*;"
:;}; echo vulnerable' bash -c 'echo Testing...'
This is quite bad - as long as a bash CGI script is found by probing, exploiting only require putting a bash command in a header such as "Cookie:" for it to be executed. And this is only through HTTP - there are also aready other proof of concepts exploiting this through other bash-using services (DHCP servers for example).
You can check if you've been scanned for exploitable CGIs using something like (adjust apache logs path accordingly):
grep cgi
And you can check if your bash is vulnerable using:
env x='() {
If 'vulnerable' appears, it is.
Well, Apache and literally every other CGI container since that's how CGI works: the HTTP environment (headers and various other stuff) is passed to the script being executed via specifically named environment variables.
You are in a maze of twisty little relative jumps, all alike.
Well...
As a software engineer they expect me to be a sysadmin.
Seriously!
Shell scripts have been known to be basically insecure for a long time. Why would you expose one to a web or network interface?
Of course, that just leaves ssh, but at least some authentication SHOULD be required there.
It's that simple. Even with the patches, bash is still running the contents of environment variables through its general command parser in order to parse the procedure. That's ridiculously dangerous... the command parser was never designed to be secure in that fashion. The parsing of env variables through the command parser to pass sh procedures OR FOR ANY OTHER REASON should be removed from bash outright. Period. End of story. Light a fire under the authors someone. It was stupid to use env variables for exec-crossing parameters in the first place. No other shell does it that I know of.
This is a major attack vector against linux. BSD systems tend to use bash only as an add-on, but even BSD systems could wind up being vulnerable due to third party internet-facing utilities / packages which hard-code the use of bash.
-Matt
Fix for CVE-2014-7169 was posted only a small bit ago:
http://www.openwall.com/lists/oss-security/2014/09/26/1
inputs getting into environment variables which wind up eventually inside of bash.
So we agree. Good-o.
No, you twit. Bash will read the environment variables sent to it by CGI, which populates the environment parameters before you can sanitise the inputs. By the time you're ready to begin parsing and sanitising, the damage is already (potentially) done.
The implications of this are far-reaching, and the only way to be reasonably secure is to patch the bash executable.
Crumb's Corollary: Never bring a knife to a bun fight.
At least one of them in charge of each group of systems should be that or an equivalent. Being good at Skyrim is not enough to effectively run systems over time.
It's muted because despite this being a major security flaw that's been around since almost the dawn of the internet, it was patched and fixed in less than 24 hours once found.
The indignation is deservedly loud and strong when the a major security flaw is found and it sits on the world's computers to be exploited until the patch Tuesday, several months from now, and only after shaming vendors to acknowledge it.
There's nothing amazing about it.
If shellshock lets remote users execute arbitrary shell commands, should we just run a scan of the whole internet (https://github.com/robertdavidgraham/masscan), and issue apt-get update & apt-get upgrade? Use the bug to patch the bug?
Bash is an OS? You can uninstall bash and have everything run just as smooth with a replacement shell. Unlike a certain OS where you can't even remove a web browser and expect it to boot up ...
*DrugCheese rants*
but if you don't do something stupid like eval your those environment variables it doesn't turn into such a mess.
Your CGI script doesn't need to do anything at all. The rogue code injected into the env. variables is parsed and executed by bash when it sets-up the environment for your script.
1. the first fixes, within 24 hours of announcement, didn't actually fix it fully - in fact I suspect it will still be exploitable in some way or other until the "feature" of treating environment variables as code is removed completely
2. providing an incomplete fix may be worse than taking a bit longer to properly QA the fix - a lot of admins may believe they have patched this based on the first announced vulnerability tests and the first set of patches, but in fact they are still vulnerable with a trivial change in the malicious bash code
3. it was less than 24 hours after first being made public - this may be entirely unrelated to when it was first found
We have no idea who found it first or for how long it may have been used covertly (did NSA etc. know of heartbleed before public knowledge ?)
We don't know what prompted someone to be looking for problems in code that hasn't changed for 20+ yrs.
It is so trivial to get remote code run with this bug (no unexpected new process or login or errors) that I doubt it will trip any intrusion detection systems.
If you can use an http header that isn't logged, then you could run code on the server and extract information and it may be completely undetectable.
Something else we don't know is how the FBI really got the Silk Road server to cough its real IP address. The FBI claim they put "miscellaneous characters" into the login form and it just happened to send the address back. You can believe that if you want. It may or may not be related (I have no idea about the silk road server setup), but a handful of days after the FBI put their story out someone is looking for security holes / bugs in very old bash code. Maybe there was no trigger and they just happened to get bored one day and decide that looking for bugs in bash would be fun. Or maybe there is more behind this than we know.
There are other vectors - in fact, any place that the website code (be it C, PHP, Java, Perl, whatever) runs another program *via* the shell. It depends on the language as to how this can happen. In perl, if you don't specify the full path to the thing you're calling, and you don't use a list for each argument then it'll go via the shell as a helper to make it do what you want. Obviously, anywhere you've called something as "sh -c /some/path/thing", then you're also going via the shell.
Simply calling something via the shell (or calling a shell script) isn't enough - you also need to pass some environment variables populated with user input. This seems incredibly unlikely except in CGIs. In most cases, you'd probably pass some command line arguments (maybe from user input), and you might statically set an environment variable or two (perhaps for a password or something). Those aren't a problem - it's only user input.
For anyone running CGI, you're most likely at risk. For anyone not doing so, you're probably not at risk, but code review will tell you for sure. This is no heartbleed (as the media seem to be making out), but it's pretty serious for anyone vulnerable.
As for how to scan for it - well, good luck there, it could be anywhere, and it could be nowhere. You'd literally have to scan every single URL on a site to find a problem - and even then you might still miss it.