ShellShock Introduction

Jie Liau @ Oct/08/2014

Introduction

An example of an ACE (Arbitrary Code Execution) vulnerability dedicated for BASH shellCould be leveraged by uploading/running a program that gives attackers a simple way of controlling the targeted machine

This vulnerability had existed undiscovered since appro version 1.13 in 1992

Cause

Environment VariablesOne program starts another program, it provides an initial list of environment variables for the new program

BashCommand interpreter

Command

It is possible to execute Bash from within itself

Trigger point() { :;};

Inside Code

http://blog.erratasec.com/2014/09/the-shockingly-bad-code-of-bash.html#.VDODH-JBp2IOriginal instance can export environment variables and function definitions into the new instance.

Function definitions are exported by encoding them within the environment variable list as variables whose values begin with parentheses ("()") followed by a function definition

The new instance of Bash, upon starting, scans its environment variable list for values in this format and converts them back into internal functions. It performs this conversion by creating a fragment of code from the value and executing it

Affected versions do not verify that the fragment is a valid function definition

initialize_shell_variable()

CVE #

CVE-2014-6271

CVE-2014-6277

CVE-2014-6278

CVE-2014-7169

CVE-2014-7186

CVE-2014-7187

How to check

#env x=() { :;}; echo 12345 bash -c echo 5432112345

54321

#env x=() { :;}; echo 12345 bash -c echo 5432154321

Specific Exploitation Vector

CGI-based web server

SSH server

DHCP

Email system

Vulnerable Function of Language

Perlexec(date > /dev/null);open(FD, | date > /dev/null);system(date > /dev/null);print `date > /dev/null`;

PHPexec(date);system(date);mb_send_mail();

Pythonos.system(date)subprocess.call(date, shell =True)subprocess.Popen(date, shell=True)

Ruby`date`exec datesystem date

Demo

Conclusion

Upgrade your bash and stay calm