Vulnerability: Shell Shock - Bash Bug - Bash Attack
This is stuff stolen from other sites/blogs just after the CVE disclosure. Don't quote me on it. Use at you own risks. YMMV.
The vulnerability is caused by the ability to create environment variables with values before calling the bash shell. The variables that are passed can contain code, which are executed before the shell is actually invoked. The vulnerability is then exposed in the ability to add extra code to the end of these functions.
- More info:
The bug can currently be exploited through externally facing WEB servers as well as anything that listens to the world at large and sends variable info to bash. Current 0-day's include vuln scanning for Cpanel and other well known CGI scripts on the net.
- The primary attack vectors are CGI scripts.
- http://seclists.org/oss-sec/2014/q3/650
- There is already a worm being found based on the exploit: https://gist.github.com/anonymous/929d622f3b36b00c0be1
- As of last night there is a metasploit module to exploit the bug (brace yourselves for the script kiddies): https://github.com/rapid7/metasploit-framework/commit/ff5398bf3f46c057666f7a3d0afaf4c0d6912575
Additional info:
- https://security-tracker.debian.org/tracker/source-package/bash
- https://lists.debian.org/debian-security-announce/2014/msg00220.html
- https://community.rapid7.com/community/infosec/blog/2014/09/25/bash-ing-into-your-network-investigating-cve-2014-6271
- https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/
- http://lcamtuf.blogspot.ca/2014/09/quick-notes-about-bash-bug-its-impact.html
- http://arstechnica.com/security/2014/09/bug-in-bash-shell-creates-big-security-hole-on-anything-with-nix-in-it/
- https://access.redhat.com/articles/1200223
Options:
- Upgrade
BASHto a patched version - Use a different shell than
BASH(like DASH) for/bin/sh - Disable
mod_cgi - Use rules to block nefarious requests
Debian/7 Wheezy Fix:
Just update the package database and reinstall bash:
(:source:)
- Update installation base:
$ apt-get update
- Check candidate
$ apt-cache policy bash bash:
Installed: 4.2+dfsg-0.1 Candidate: 4.2+dfsg-0.1+deb7u3
- Install the fix
$ apt-get install bash (:sourceend:)
Debian 6/Squeeze Fix
(:source:)
- check to ensure vulnerable
env x=‘() { :;}; echo vulnerable’ bash -c “echo this is a test”
- make sure you are on debian 6
lsb_release -a
- Add the squeeze LTS repositary
echo “#LTS security” >> /etc/apt/sources.list.d/lts.list
echo “deb http://http.debian.net/debian/ squeeze main contrib non-free >>” /etc/apt/sources.list.d/lts.list echo “deb-src http://http.debian.net/debian/ squeeze main contrib non-free >>” /etc/apt/sources.list.d/lts.list
echo “deb http://http.debian.net/debian squeeze-lts main contrib non-free >>” /etc/apt/sources.list.d/lts.list echo “deb-src http://http.debian.net/debian squeeze-lts main contrib non-free” >> /etc/apt/sources.list.d/lts.list
- update and install patched bash
apt-get update apt-get install bash
- run a new shell
bash
- check patch success
env x=‘() { :;}; echo vulnerable’ bash -c “echo this is a test” (:sourceend:)