Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Compromised Yahoo Servers Using Shellshock Bug

Posted by samzenpus on from the protect-ya-neck dept.

wiredmikey writes Hackers were able to break into some of Yahoo's servers by exploiting the recently disclosed Shellshock bug over the past few weeks. This may be the first confirmed case of a major company being hit with attacks exploiting the vulnerability in bash. Contacted by SecurityWeek, a Yahoo spokesperson provided the following statement Monday afternoon: "A security flaw, called Shellshock, that could expose vulnerabilities in many web servers was identified on September 24. As soon as we became aware of the issue, we began patching our systems and have been closely monitoring our network. Last night, we isolated a handful of our impacted servers and at this time we have no evidence of a compromise to user data. We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data."

15 of 69 comments (clear)

  1. I can believe it... by DarthVain · · Score: 2

    I have gotten spam mail from myself several times the last few weeks (From Yahoo to Gmail), and have gone into the stupid yahoo site to change passwords several times. They were obviously compromised as hours after changing passwords, I would get more spam. Little point to changing passwords if they have total access to them. Might be time to finally drop them.

    They were all a fictional job offer, that I guess I was going to give to myself for big bucks... Sounds like something I would do! :)

    1. Re:I can believe it... by DarthVain · · Score: 2

      No didn't bother, very well could be that. I use that as my throw away account. However that said, spoofing would be random. One would have to access my Yahoo address list to get my Gmail account. So unless spoofers used my Yahoo account and sent it around the world, it would be pretty coincidental that using my Yahoo address would hit my Gmail address several times in the last couple of weeks, and as I said, within hours of me changing passwords. Otherwise how would they know to use one against the other. Unless they were specifically targeting me, and I don't think I am that special! :)

      I think it is more likely that Yahoo is compromised (or was) and in that time they were scripting spam using personal address books (sending from my account to everyone in my address book) over and over again. If they have access to the passwords, then logging in and repeating would be trivial, even when changes are made... until of course Yahoo patches their damn servers so that they cannot anymore.

  2. Re:Color me shellshocked! by TWX · · Score: 3, Funny

    You're not a very good sysadmin, you'd know that you'll never see "fixed!" becuase the reboot will terminate the rest of the command before it can run.

    --
    Do not look into laser with remaining eye.
  3. Re:Can someone explain... by Anonymous Coward · · Score: 3, Informative

    Chroot is not a security tool.

    Running as a no-shell account doesn't help when your process invokes a shell directly.

    Local privilege escalation vulnerabilities are rampant.

  4. Re:Can someone explain... by Anonymous Coward · · Score: 3, Informative

    No, people are not following best practices. Bash is a DISASTER for tight security, and shouldn't even be on a box facing the Internet.

    Look at the code used by John Hall (http://www.futuresouth.us/yahoo_hacked.html). It is Bash itself that is pinging back to Mr. Hall's box. No other executables were required for this. I wouldn't put it past someone to make an evil client-server system with nothing but Bash scripts sent over in headers.

  5. Yahoo Sports by Slider451 · · Score: 3, Funny

    I'm going to blame this for my fantasy football loss this week... and all previous weeks.

    --
    Nostalgia isn't what it used to be.
  6. Re:Can someone explain... by Megane · · Score: 4, Informative

    The primary method is to send a browser user agent string that starts with "() { : ; } ; " and try to run a stupid (as in stupid people never remove them out of default installs) CGI script. Then when the shell gets invoked (either for a shell script CGI, or a dumbass system() call from another language CGI), the bug causes bash to execute whatever is on the end of the user agent string, before doing anything else. This is because the cgi-bin module takes all the various parameters of the HTTP request and sticks them into environment variables, and the bug executes environment variables before doing what it's been called up to do.

    The easiest thing to do whether or not you can get a patched bash yet is to disable Apache's cgi-bin module.

    --
    #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
  7. Baaaa! by Delicious+Pun · · Score: 5, Insightful

    We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data."

    Who else is sick of reading this sentence and its variants from faceless corporate entities? In my mind it translates to "Be calm, sheep. Be calm."

    1. Re:Baaaa! by dunkindave · · Score: 4, Interesting

      No, the real problem is this is the same response you would get from a company no matter what happened so it is meaningless. You screwed up but don't want to admit it? Say you are committed to security and it was a fluke. It really was a one time fluke by someone exploiting a near-zero-day? Say you are committed to security and it was a fluke. You deliberately sold out your customers and someone noticed their info was in the wild? Say you are committed to security and it was a fluke. Since it is always the same no matter what happened, what real use is the statement? Yes, I know it is to persuade those who don't know better.

  8. Re:Color me shellshocked! by Vlad_the_Inhaler · · Score: 2

    It is.
    I ran a sanitised version of the initial exploit in a virtual Konsole, updated and ran it again in a new Konsole. The second time the attempted exploit was rejected, no reboot required.

    This was early last week, the day the update became available. What made these muppets wait until they were attacked? Do they have some cretinous system in place where even security-relevant updates have to be scheduled a week in advance?

    --
    Mielipiteet omiani - Opinions personal, facts suspect.
  9. Marketspeak by wcrowe · · Score: 4, Insightful

    "...We're focused on providing the most secure experience possible for our users worldwide and are continuously working to protect our users' data."

    Marketspeak. I guess communications majors are taught to always do this. The problem is, we've heard crap like this so much, we've become inured to it. Nowadays, the minute I see a sentence like this, I assume everything else the spokesperson has said is a complete fabrication.

    --
    Proverbs 21:19
  10. Consequences for treating employees like garbage by Anonymous Coward · · Score: 2, Interesting

    Yahoo treats their employees like garbage. To wit, Yahoo uses "stacked ratings" which results in backstabbing and good employees getting fired.

    When Yahoo's employees are spending all their time making sure someone else gets fired when the next employee reviews are made, instead of actually being able to do their job, it comes as no surprise that basic crap like updating security on servers falls by the wayside.

  11. Re:Can someone explain... by tlhIngan · · Score: 4, Informative

    ...the process from poking unusual commands at Apache or another web daemon to how that allows control of the box?

      When I ran web servers I ran the daemons as unprivileged accounts that had no shell, and in a couple of instances there was chroot sandboxing to further help to mitigate penetration even if someone managed to exploit a vulnerability in the web daemon.

      How is this working? Are people not folliowing good practices?

    First off, let's clear the air - the apache or whatever HTTPd is being used is still running unpriviledged.

    Second, what hackers are doing is exploiting CGI - because CGI data is often passed as environment variables, people are setting their User-Agent and Referer headers to exploit this: "() { :; }; command" being common (with command being ping a certain address).

    What happens is the CGI gateway takes those, then sets environment variables like "REFERER=() { :; }; ping ..." and "USER_AGENT=...", then calls system() to run the appropriate CGI script.

    system() calls fork() and starts /bin/sh -c "command" and therein is the problem. Because /bin/sh almost always is /bin/bash on Linux, that means bash starts up, and it starts looking at the environment variables to set up the environment. It runs across REFERER and USER_AGENT, and sees that it's how bash passes exported shell functions to subshells, so it creates those functions. Unfortunately, the bug means that when those functions are defined, bash continues parsing - it sees the semicolon and the parses it as a regular command while it's still parsing environment variables.

    This lets bash execute anything as the afflicted user.

    So what can you do? Everything httpd can do - which may include accessing databases, or loading in other scripts and then getting those to run to get at databases, or dumping the server files.

    You may not be able to write /etc/passwd, but you can certainly try to dump the user database for the web application.

    It's a pretty deep bug because it's a design bug - POSIX doesn't specify how exported functions are passed from shell to subshell, so bash uses environment variables in a special format. One patch to fix it makes it so all functions must be declared as _BASH_FUNC_name= which helps limit exposure. There are going to be many other patches because fixing this is hard.

  12. Re:Can someone explain... by tlhIngan · · Score: 2

    It isn't a matter of "subshell" -- which gets a copy of the parent process's memory from fork() -- but how functions are exported for use by future shells. For example, your shell (bash) runs less or vi (or python or php...), and from there a shell is started. That's not a subshell, it's a new process; it wasn't created by fork() so it doesn't have a copy of the original bash memory. The logical question is why anyone would need that functionality? In general, no one does, but it does offer some optimization for complex shell environments (read: the idiotic bash_completion BS. That's why bash takes an eon and a half to load.) Yes, my first response was "turn that crap off; nobody uses it anyway."

    The "namespace" patch does absolutely NOTHING to address this bug, or security in general. So I now have to name my variable BASH_FUNC_foo() (or some variant.) If inputs aren't validated, the system is still vulnerable.

    No, the bug IS related to subshells. Environment variables are "exported" to make them available to subshells to use. POSIX defines the mechanism (and the environment is passed in as parameteres to the exec() family of functions)

    Now, bash has a design flaw in how it exports FUNCTIONS to subshells, namely if it starts with () { then bash treats it as a function declaration.

    Of course, the problem is not related to subshells - but it stems from there. Because if you invoke bash, and pass it a function declaration like that, bash will think it's inheriting a function (which could've been started many, many processes ago because exported functions in bash look like exported environment variables).

    So you can do the bash-->httpd-->bash thing and if you export a function in the partent bash, even though you're going through httpd, the sub-bash (probably started as CGI) will see the parent exported function.

    And CGI typically calls system() to perform the script execution, which by definition launches the system shell to run the command you passed to system().

    The bug originates from a design flaw in POSIX that fails to specify how to securely pass in exported functions, so the bash devs made up some method. Shellshock basically relies on this feature.

    The best way, of course, is to disable exporting of functions, but there may be many reasons why this may not be possible - including entrenched software that relies on this behavior and has for many years (it's a design flaw dating back over 20 years). And one should also note that 20-30 years ago, Unix security was practically non-existent.

    Things like this were a product of a different era.

  13. Re:Can someone explain... by ThePhilips · · Score: 2

    Because /bin/sh almost always is /bin/bash on Linux [...]

    On most systems - number-wise - which are Debian-based - it is not.

    But on the RHEL, the golden boy of corporate uni-culture, it is. The UNIX reborn.

    Let that be a moment of the appreciation for all the work Debian and Ubuntu people do behind the scenes. (Yes, Ubuntu too: the transition to dash was actively supported by Canonical since they wanted Ubuntu to boot faster and Debian folks were in agreement with the goal.)

    P.S. Why RHEL hasn't picked up all the work Debian/Ubuntu has done for them? The usual - NIH - I suspect.

    --
    All hope abandon ye who enter here.