bash code-injection briefing
DESCRIPTION
Bash Code-Injection BriefingTRANSCRIPT
![Page 1: Bash Code-Injection Briefing](https://reader034.vdocuments.net/reader034/viewer/2022052600/55759aa3d8b42aff598b487b/html5/thumbnails/1.jpg)
“Shellshock” bash code injection vulnerability
CVE-2014-6271 & CVE-2014-7169 Johannes B. Ullrich, Ph.D.
![Page 2: Bash Code-Injection Briefing](https://reader034.vdocuments.net/reader034/viewer/2022052600/55759aa3d8b42aff598b487b/html5/thumbnails/2.jpg)
Outline
• How important is this vulnerability? • What is the nature of the problem? • Why are there two CVE Numbers? • How do I check if I am vulnerable? • What can I do to protect myself?
![Page 3: Bash Code-Injection Briefing](https://reader034.vdocuments.net/reader034/viewer/2022052600/55759aa3d8b42aff598b487b/html5/thumbnails/3.jpg)
The Vulnerability
• The “bash” shell commonly used in Unix systems allows code execution via environment variables
• Attacker has to be able to trick the user into opening bash after setting specifically crafted variables
![Page 4: Bash Code-Injection Briefing](https://reader034.vdocuments.net/reader034/viewer/2022052600/55759aa3d8b42aff598b487b/html5/thumbnails/4.jpg)
Attack Vectors
• CGI: Web servers using cgi-bin mechanism to execute bash scripts. HTTP headers sent by the attacker are converted to environment variables
• SSH: Can be used to escape restricted ssh shells
• DHCP: Code may be executed by DHCP Clients
![Page 5: Bash Code-Injection Briefing](https://reader034.vdocuments.net/reader034/viewer/2022052600/55759aa3d8b42aff598b487b/html5/thumbnails/5.jpg)
What can an attacker accomplish?
• The attacker will be able to execute any shell command
• Only limited by user permissions (e.g. apache web server)
• Exploit is easy to perform. Various PoC exploits are available
![Page 6: Bash Code-Injection Briefing](https://reader034.vdocuments.net/reader034/viewer/2022052600/55759aa3d8b42aff598b487b/html5/thumbnails/6.jpg)
How important is this?
• Patch quickly • Worry if you have web servers that run
bash from cgi-bin! • Not an issue for Windows systems • Not an issue for clients. It is a server
problem • This problem has been around “forever”
![Page 7: Bash Code-Injection Briefing](https://reader034.vdocuments.net/reader034/viewer/2022052600/55759aa3d8b42aff598b487b/html5/thumbnails/7.jpg)
How could this happen?
• Bash, like all shells, have environment variables
• However, in bash, these variables may contain code
• Bash does not correctly separate code from data
• As a result, the attacker can inject additional code
![Page 8: Bash Code-Injection Briefing](https://reader034.vdocuments.net/reader034/viewer/2022052600/55759aa3d8b42aff598b487b/html5/thumbnails/8.jpg)
Why are there two CVE Numbers
• The originally reported (and fixed) problem only covered one way to inject code (Stephane Schazelas CVE-2014-6271 )
• Earlier today, a second method was found (Travis Ormandy CVE-2014-7169)
• There is currently no patch for the second attack vector.
![Page 9: Bash Code-Injection Briefing](https://reader034.vdocuments.net/reader034/viewer/2022052600/55759aa3d8b42aff598b487b/html5/thumbnails/9.jpg)
Google Searches
![Page 10: Bash Code-Injection Briefing](https://reader034.vdocuments.net/reader034/viewer/2022052600/55759aa3d8b42aff598b487b/html5/thumbnails/10.jpg)
How do I check if I am vulnerable?
• Two test strings that can be run safely while logged in on a system:
env x='() { :;}; echo vulnerable' sh -c "echo this is a test”!env -i X='() { (a)=>\' bash -c 'echo date'; cat echo!
• Various Metasploit Modules: https://github.com/rapid7/metasploit-framework/pull/3880!!!
![Page 11: Bash Code-Injection Briefing](https://reader034.vdocuments.net/reader034/viewer/2022052600/55759aa3d8b42aff598b487b/html5/thumbnails/11.jpg)
How do I protect myself?
• Apply the patch current patch is incomplete
• Change shells from bash to alternatives (ksh, sh…) will likely break things
• Apply WAF/IPS rules current public rules are lacking
![Page 12: Bash Code-Injection Briefing](https://reader034.vdocuments.net/reader034/viewer/2022052600/55759aa3d8b42aff598b487b/html5/thumbnails/12.jpg)
Summary
• The biggest exposure are bash cgi-bin scripts
• Start with the Google check to find low hanging fruit
• Apply the patch quickly, watch for updated patch
• Inventory!
![Page 13: Bash Code-Injection Briefing](https://reader034.vdocuments.net/reader034/viewer/2022052600/55759aa3d8b42aff598b487b/html5/thumbnails/13.jpg)
Thanks!
Please send any information to https://isc.sans.edu/contact.html
or email: [email protected]