AlliedModders

AlliedModders (https://forums.alliedmods.net/index.php)
-   Off-Topic (https://forums.alliedmods.net/forumdisplay.php?f=15)
-   -   Bash ShellShock Remote Code Execution Vulnerability (https://forums.alliedmods.net/showthread.php?t=248850)

Kia 09-25-2014 08:54

Bash ShellShock Remote Code Execution Vulnerability
 
Hello everybody,

Some people here might be interested.

Bash or Bourne Again Shell is prone to a remote code execution vulnerability in terms of how it processes specially crafted environment variables.
Most Linux distros are vulnerable.
A lot of programs like SSH, telnet, CGI scripts allow bash to be run in the background allowing the vulnerability to be exploited remotely over the network which makes it more scary.
Refer to Wolfgang's post BASH Shellshock vulnerability for more details.

Proof of Concept:
A simple test to check if your Bash is vulnerable is available publicly.

PHP Code:

env var='() { ignore this;}; echo vulnerable' bash -/bin/true 

Upon running the above command, an affected version of bash will output "vulnerable".

Type apt-get update and apt-get upgrade (for debian) to apply the patch.

Once the patch has been applied, the same test will return the following result.

PHP Code:

bashwarning: var: ignoring function definition attempt  
bash
error importing function definition for 'var' 

The way this proof of concept works is that bash functions can be exported to environment variables.
When code is added to the end of the function definition inside the variable, it gets executed when the shell is invoked ("bash -c").
In this case "echo vulnerable" will execute. Once the patch has been applied, code execution after end of the bash function is not allowed.
A detailed explanation of the issue can be found at: Bash specially-crafted environment variables code injection attack | Red Hat Security

Taken from: https://community.qualys.com/blogs/s...-cve-2014-6271

Greetz,
Kia.

aron9forever 09-25-2014 10:32

Re: Bash ShellShock Remote Code Execution Vulnerability
 
why would this be important
it's a local exploit, can you use sudo as a normal user or something or what?

Powerlord 09-25-2014 11:41

Re: Bash ShellShock Remote Code Execution Vulnerability
 
I heard about this vuln and already patched my server against it.

The problem is that you can gain access to BASH from other system services, such as Apache or nginx. Edit: The other problem is that it also inserts stuff into environment variables, which may be picked up by other programs.

Incidentally, Redhat, your security blog should have a valid Transport Layer Security certificate for the domain it's on (*.redhat.com) rather than one for a different domain (*.rhcloud.com).

aron9forever 09-26-2014 00:17

Re: Bash ShellShock Remote Code Execution Vulnerability
 
Quote:

Originally Posted by Powerlord (Post 2203527)
I heard about this vuln and already patched my server against it.

The problem is that you can gain access to BASH from other system services, such as Apache or nginx. Edit: The other problem is that it also inserts stuff into environment variables, which may be picked up by other programs.

Incidentally, Redhat, your security blog should have a valid Transport Layer Security certificate for the domain it's on (*.redhat.com) rather than one for a different domain (*.rhcloud.com).

so basically you could even use this by css or sql injection? that's pretty bad
I checked and I'm also vulnerable

h3bus 09-26-2014 03:12

Re: Bash ShellShock Remote Code Execution Vulnerability
 
I don't understand how one can remotely exploit this vulnerability if shell is not exposed by webserver.

I'm not vulnerable (ubuntu 14.04 LTS up to date) but still curious.

Powerlord 09-26-2014 10:05

Re: Bash ShellShock Remote Code Execution Vulnerability
 
Quote:

Originally Posted by h3bus (Post 2203750)
I don't understand how one can remotely exploit this vulnerability if shell is not exposed by webserver.

I'm not vulnerable (ubuntu 14.04 LTS up to date) but still curious.

There are limits to what could be done with this:
  • Changes to environment variables only affect the current shell and any new processes run/forked from it.
  • sudo and su (SuperUser DO and Switch User) both require you to explicitly pass an argument to preserve the environment.

MAYBE you could use it to poison LD_LIBRARY_PATH, which tells a program where to look for .so files.

You might also be able to use it to poison CGI scripts, because CGI is done primarily through environment variables.


On a side note, the first bash patch for Ubuntu 14.04 didn't completely fix the problem, so they issued a second update.

Neeeeeeeeeel.- 09-26-2014 22:19

Re: Bash ShellShock Remote Code Execution Vulnerability
 
I have just fixed it in my Debian Squeeze!

I only ran this and I got it fixed!
Code:

apt-get update && apt-get install --only-upgrade bash


All times are GMT -4. The time now is 02:44.

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.