An attacker could use this feature to override or bypass restrictions to the environment to execute shell commands before restrictions have been applied. Certain services and applications allow remote unauthenticated attackers to provide environment variables, allowing them to exploit this issue.
ShellShock Bash Bug |
The vulnerability (CVE-2014-6271) affects versions 1.14 through 4.3 of GNU Bash and being named as Bash Bug, and Shellshock by the Security researchers on the Internet discussions.
According to the technical details, a hacker could exploit this bash bug to execute shell commands remotely on a target machine using specifically crafted variables. This 22-year-old vulnerability stems from the way bash handles specially-formatted environment variables, namely exported shell functions. When assigning a function to a variable, trailing code in the function definition will be executed.
While bash is not directly used by remote users, but it is a common shell for evaluating and executing commands from other programs, such as web server or the mail server. So if an application calls the Bash shell command via web HTTP or a Common-Gateway Interface (CGI) in a way that allows a user to insert data, the web server could be hacked.
In Simple words, If Bash has been configured as the default system shell, an attacker could launch malicious code on the server just by sending a specially crafted malicious web request by setting headers in a web request, or by setting weird mime types. Proof-of-concept code for cgi-bin reverse shell has been posted below:
http://pastebin.com/raw.php?i=166f8Rjx
This is a serious risk to Internet infrastructure, just like Heartbleed bug, because Linux not only runs the majority of the servers but also large number of embedded devices, including Mac OS X laptops and Android devices are also running the vulnerable version of bash Software. NIST vulnerability database has rated this vulnerability “10 out of 10” in terms of severity.
HOW TO CHECK FOR VULNERABLE SHELL
To determine if a Linux or Unix system is vulnerable, run the following command lines in your linux shell:
env X=”() { :;} ; echo Infected” /bin/sh -c “echo completed”
env X=”() { :;} ; echo Infected” `which bash` -c “echo completed”
If you see the words “Infected” in the output, then you are at risk.
The string ‘() { :;}; echo vulnerable” takes advantage of a bug in the way Bash handles environment variables to trick it into treating the string “echo Infected” as a command rather than just a string of letters.
BASH BUG PATCH
You are recommended to disable any CGI scripts that call on the shell, but it does not fully mitigate the vulnerability.
Many of the major operating system and Linux distribution vendors have released the new bash software versions today, including:
- Red Hat Enterprise Linux (versions 4 through 7) and the Fedora distribution
- CentOS (versions 5 through 7)
- Ubuntu 10.04 LTS, 12.04 LTS, and 14.04 LTS
- Debian
If your system is vulnerable to bash bug, then you are highly recommended to upgrade your bash software package as soon as possible.
Leave a Reply