If you can't read please download the document
Upload
jie-liau
View
28
Download
1
Embed Size (px)
Citation preview
ShellShock Introduction
Jie Liau @ Oct/08/2014
Introduction
An example of an ACE (Arbitrary Code Execution) vulnerability dedicated for BASH shellCould be leveraged by uploading/running a program that gives attackers a simple way of controlling the targeted machine
This vulnerability had existed undiscovered since appro version 1.13 in 1992
Cause
Environment VariablesOne program starts another program, it provides an initial list of environment variables for the new program
BashCommand interpreter
Command
It is possible to execute Bash from within itself
Trigger point() { :;};
Inside Code
http://blog.erratasec.com/2014/09/the-shockingly-bad-code-of-bash.html#.VDODH-JBp2IOriginal instance can export environment variables and function definitions into the new instance.
Function definitions are exported by encoding them within the environment variable list as variables whose values begin with parentheses ("()") followed by a function definition
The new instance of Bash, upon starting, scans its environment variable list for values in this format and converts them back into internal functions. It performs this conversion by creating a fragment of code from the value and executing it
Affected versions do not verify that the fragment is a valid function definition
initialize_shell_variable()
CVE #
CVE-2014-6271
CVE-2014-6277
CVE-2014-6278
CVE-2014-7169
CVE-2014-7186
CVE-2014-7187
How to check
#env x=() { :;}; echo 12345 bash -c echo 5432112345
54321
#env x=() { :;}; echo 12345 bash -c echo 5432154321
Specific Exploitation Vector
CGI-based web server
SSH server
DHCP
Email system
Vulnerable Function of Language
Perlexec(date > /dev/null);open(FD, | date > /dev/null);system(date > /dev/null);print `date > /dev/null`;
PHPexec(date);system(date);mb_send_mail();
Pythonos.system(date)subprocess.call(date, shell =True)subprocess.Popen(date, shell=True)
Ruby`date`exec datesystem date
Demo
Conclusion
Upgrade your bash and stay calm