Hackviking He killed Chuck Norris, he ruled dancing so he took up a new hobby…

26Sep/140

Check for shellshock

Shellshok

So the new issue on the board is shellshock? Not really it has been around for 20 years but hasn't been a problem until now. Same with heartbleed, was there for over two years before it was discovered. I will show you how to check if your effected and how to stay safe.

What is shellshock?

It's a vulnerability in the bash shell of unix derived operating systems like Linux or MacOSX. Many web servers are effected and the exploit can be used by passing commands in http header parameters like cokie. It uses a weakness in the declaration of global parameters on an insecure system. This can also be done via dhcp, so be careful hooking up to unknown networks before you get this resolved.

env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"

If this commands returns busted and not just stuff you are in trouble! Below is an example of the DHCP exploit of this:

Example exploit of shellshock bug

Example exploit of shellshock bug

 

Shellshock DHCP client

Web exploit of shellshock

At the same time you can stay offline until this is resolved but how about you web server? The most used server online is apache running on a Linux system. If you run CGI scripts or PHP via CGI you may be at risk. If you run the command line above and you only get stuff you have nothing to worry about if not you can test you script/site for vulnerabilities on IECRA's test page for Shellshock.

I got the bug whats next?

Check your package handler for updates on bash. If none check on the distribution website for advice. If there isn't an update yet and you haven't found any publicly accessible vulnerabilities you can take a chance and hope you didn't miss anything, but keep an eye on your server. Just because it shows in your prompt that doesn't mean that you have any online scripts that actually uses bash. But I would recommend you to take the system offline until it is patched.

Amazon AWS EC2 Linux

I use a lot of EC2 Linux machines and before the patch it looked like this:

>env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
/bin/sh: warning: X: ignoring function definition attempt
/bin/sh: error importing function definition for `X'
stuff

So there was no problem even before but there still is an update available!

sudo yum update bash

After running that the server returns:

>env X="() { :;} ; echo busted" /bin/sh -c "echo stuff"
stuff

Conclusion

There will be more updates to this issue so keep looking. Test all your servers and patch were ever possible. If your server get's compromised the attacker can more ore less run any command they wish and really create a mess for you. If your publicly available content checks out just keep calm and patch all your systems. If your server is/was vulnerable go through the machine or restore to an earlier snapshot offline, patch the machine and then bring it back on line.

Posted by Kristofer Källsbo

Comments (0) Trackbacks (0)

No comments yet.


Leave a Reply

No trackbacks yet.