Raised This Month: $ Target: $400
 0% 

Bash ShellShock Remote Code Execution Vulnerability


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
Kia
AlliedModders Donor
Join Date: Apr 2010
Location: In a world of madness
Old 09-25-2014 , 08:54   Bash ShellShock Remote Code Execution Vulnerability
Reply With Quote #1

Hello everybody,

Some people here might be interested.

Bash or Bourne Again Shell is prone to a remote code execution vulnerability in terms of how it processes specially crafted environment variables.
Most Linux distros are vulnerable.
A lot of programs like SSH, telnet, CGI scripts allow bash to be run in the background allowing the vulnerability to be exploited remotely over the network which makes it more scary.
Refer to Wolfgang's post BASH Shellshock vulnerability for more details.

Proof of Concept:
A simple test to check if your Bash is vulnerable is available publicly.

PHP Code:
env var='() { ignore this;}; echo vulnerable' bash -/bin/true 
Upon running the above command, an affected version of bash will output "vulnerable".

Type apt-get update and apt-get upgrade (for debian) to apply the patch.

Once the patch has been applied, the same test will return the following result.

PHP Code:
bashwarning: var: ignoring function definition attempt  
bash
error importing function definition for 'var' 
The way this proof of concept works is that bash functions can be exported to environment variables.
When code is added to the end of the function definition inside the variable, it gets executed when the shell is invoked ("bash -c").
In this case "echo vulnerable" will execute. Once the patch has been applied, code execution after end of the bash function is not allowed.
A detailed explanation of the issue can be found at: Bash specially-crafted environment variables code injection attack | Red Hat Security

Taken from: https://community.qualys.com/blogs/s...-cve-2014-6271

Greetz,
Kia.
__________________

Last edited by Kia; 09-25-2014 at 08:54.
Kia is offline
aron9forever
Veteran Member
Join Date: Feb 2013
Location: Rromania
Old 09-25-2014 , 10:32   Re: Bash ShellShock Remote Code Execution Vulnerability
Reply With Quote #2

why would this be important
it's a local exploit, can you use sudo as a normal user or something or what?
__________________
Meanwhile, in 2050:
Quote:
Originally Posted by aron9forever
useless small optimizations
Quote:
Originally Posted by Black Rose View Post
On a map that is 512x512x128 units you end up with 3,355,443,200,000 different "positions". To store each one of those positions individually in the variable "user_or" you need 12 terabytes of memory.
aron9forever is offline
Powerlord
AlliedModders Donor
Join Date: Jun 2008
Location: Seduce Me!
Old 09-25-2014 , 11:41   Re: Bash ShellShock Remote Code Execution Vulnerability
Reply With Quote #3

I heard about this vuln and already patched my server against it.

The problem is that you can gain access to BASH from other system services, such as Apache or nginx. Edit: The other problem is that it also inserts stuff into environment variables, which may be picked up by other programs.

Incidentally, Redhat, your security blog should have a valid Transport Layer Security certificate for the domain it's on (*.redhat.com) rather than one for a different domain (*.rhcloud.com).
__________________
Not currently working on SourceMod plugin development.

Last edited by Powerlord; 09-25-2014 at 13:05.
Powerlord is offline
aron9forever
Veteran Member
Join Date: Feb 2013
Location: Rromania
Old 09-26-2014 , 00:17   Re: Bash ShellShock Remote Code Execution Vulnerability
Reply With Quote #4

Quote:
Originally Posted by Powerlord View Post
I heard about this vuln and already patched my server against it.

The problem is that you can gain access to BASH from other system services, such as Apache or nginx. Edit: The other problem is that it also inserts stuff into environment variables, which may be picked up by other programs.

Incidentally, Redhat, your security blog should have a valid Transport Layer Security certificate for the domain it's on (*.redhat.com) rather than one for a different domain (*.rhcloud.com).
so basically you could even use this by css or sql injection? that's pretty bad
I checked and I'm also vulnerable
__________________
Meanwhile, in 2050:
Quote:
Originally Posted by aron9forever
useless small optimizations
Quote:
Originally Posted by Black Rose View Post
On a map that is 512x512x128 units you end up with 3,355,443,200,000 different "positions". To store each one of those positions individually in the variable "user_or" you need 12 terabytes of memory.
aron9forever is offline
h3bus
AlliedModders Donor
Join Date: Nov 2013
Old 09-26-2014 , 03:12   Re: Bash ShellShock Remote Code Execution Vulnerability
Reply With Quote #5

I don't understand how one can remotely exploit this vulnerability if shell is not exposed by webserver.

I'm not vulnerable (ubuntu 14.04 LTS up to date) but still curious.
h3bus is offline
Powerlord
AlliedModders Donor
Join Date: Jun 2008
Location: Seduce Me!
Old 09-26-2014 , 10:05   Re: Bash ShellShock Remote Code Execution Vulnerability
Reply With Quote #6

Quote:
Originally Posted by h3bus View Post
I don't understand how one can remotely exploit this vulnerability if shell is not exposed by webserver.

I'm not vulnerable (ubuntu 14.04 LTS up to date) but still curious.
There are limits to what could be done with this:
  • Changes to environment variables only affect the current shell and any new processes run/forked from it.
  • sudo and su (SuperUser DO and Switch User) both require you to explicitly pass an argument to preserve the environment.

MAYBE you could use it to poison LD_LIBRARY_PATH, which tells a program where to look for .so files.

You might also be able to use it to poison CGI scripts, because CGI is done primarily through environment variables.


On a side note, the first bash patch for Ubuntu 14.04 didn't completely fix the problem, so they issued a second update.
__________________
Not currently working on SourceMod plugin development.

Last edited by Powerlord; 09-26-2014 at 10:08.
Powerlord is offline
Neeeeeeeeeel.-
Some Guy Yellin'
Join Date: Jul 2010
Location: Argentina
Old 09-26-2014 , 22:19   Re: Bash ShellShock Remote Code Execution Vulnerability
Reply With Quote #7

I have just fixed it in my Debian Squeeze!

I only ran this and I got it fixed!
Code:
apt-get update && apt-get install --only-upgrade bash
__________________

Last edited by Neeeeeeeeeel.-; 09-26-2014 at 22:19.
Neeeeeeeeeel.- is offline
Send a message via Skype™ to Neeeeeeeeeel.-
Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 02:44.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode