The document discusses the Shellshock bash code injection vulnerability (CVE-2014-6271 and CVE-2014-7169). It allows code execution via specially crafted environment variables. Attack vectors include CGI scripts and SSH. While patches have been released, they only address one of the vulnerabilities. The document provides steps to check for vulnerability and recommends patching systems and changing the default shell to protect against this issue.

1. “Shellshock” bash code injection
vulnerability
CVE-2014-6271 & CVE-2014-7169
Johannes B. Ullrich, Ph.D.
jullrich@sans.edu

2. Outline
• How important is this vulnerability?
• What is the nature of the problem?
• Why are there two CVE Numbers?
• How do I check if I am vulnerable?
• What can I do to protect myself?

3. The Vulnerability
• The “bash” shell commonly used in
Unix systems allows code execution
via environment variables
• Attacker has to be able to trick the
user into opening bash after setting
specifically crafted variables

4. Attack Vectors
• CGI: Web servers using cgi-bin
mechanism to execute bash scripts.
HTTP headers sent by the attacker are
converted to environment variables
• SSH: Can be used to escape restricted
ssh shells
• DHCP: Code may be executed by DHCP
Clients

5. What can an attacker accomplish?
• The attacker will be able to execute
any shell command
• Only limited by user permissions
(e.g. apache web server)
• Exploit is easy to perform. Various
PoC exploits are available

6. How important is this?
• Patch quickly
• Worry if you have web servers that run
bash from cgi-bin!
• Not an issue for Windows systems
• Not an issue for clients. It is a server
problem
• This problem has been around “forever”

7. How could this happen?
• Bash, like all shells, have environment
variables
• However, in bash, these variables may
contain code
• Bash does not correctly separate code
from data
• As a result, the attacker can inject
additional code

8. Why are there two CVE Numbers
• The originally reported (and fixed) problem
only covered one way to inject code
(Stephane Schazelas CVE-2014-6271 )
• Earlier today, a second method was found
(Travis Ormandy CVE-2014-7169)
• There is currently no patch for the second
attack vector.

9. Google Searches

10. How do I check if I am vulnerable?
• Two test strings that can be run safely
while logged in on a system:
env x='() { :;}; echo vulnerable' sh -c
"echo this is a test”!
env -i X='() { (a)=>' bash -c 'echo date'; cat
echo!
• Various
Metasploit
Modules:
https://github.com/rapid7/metasploit-framework/
pull/3880!
!!

11. How do I protect myself?
• Apply the patch
current patch is incomplete
• Change shells from bash to
alternatives (ksh, sh…)
will likely break things
• Apply WAF/IPS rules
current public rules are lacking

12. Summary
• The biggest exposure are bash cgi-bin
scripts
• Start with the Google check to find low
hanging fruit
• Apply the patch quickly, watch for
updated patch
• Inventory!

13. Thanks!
Please send any information to
https://isc.sans.edu/contact.html
or email: handlers@sans.edu