Download as ODP, PPTX
Uploaded byJie Liau
Shell Shock
This document summarizes the ShellShock vulnerability in Bash, an arbitrary code execution flaw that existed undiscovered in Bash since 1992. Environment variables containing code were executed when passed between instances of Bash, allowing remote code execution. The vulnerability affected CGI scripts, SSH, DHCP services, and anything using Bash or vulnerable programming languages. A check command and examples of exploitation vectors are provided.
Shell Shock
- 1. ShellShock Introduction Jie Liau@ Oct/08/2014
- 2. Introduction ● An exampleof an ACE (Arbitrary Code Execution) vulnerability dedicated for BASH shell – Could be leveraged by uploading/running a program that gives attackers a simple way of controlling the targeted machine ● This vulnerability had existed undiscovered since appro version 1.13 in 1992
- 3. Cause ● Environment Variables –One program starts another program, it provides an initial list of environment variables for the new program – Bash ● Command interpreter ● Command ● It is possible to execute Bash from within itself – Trigger point ● () { :;};
- 4. Inside Code http://blog.erratasec.com/2014/09/the-shockingly-bad-code-of- bash.html#.VDODH-JBp2I ● Originalinstance can export environment variables and function definitions into the new instance. ● Function definitions are exported by encoding them within the environment variable list as variables whose values begin with parentheses ("()") followed by a function definition ● The new instance of Bash, upon starting, scans its environment variable list for values in this format and converts them back into internal functions. It performs this conversion by creating a fragment of code from the value and executing it ● Affected versions do not verify that the fragment is a valid function definition ● initialize_shell_variable()
- 5. CVE # ● CVE-2014-6271 ●CVE-2014-6277 ● CVE-2014-6278 ● CVE-2014-7169 ● CVE-2014-7186 ● CVE-2014-7187
- 6. How to check ●#env x=’() { :;}; echo 12345’ bash -c ‘echo 54321’ – 12345 – 54321 ● #env x=’() { :;}; echo 12345’ bash -c ‘echo 54321’ – 54321
- 7. Specific Exploitation Vector ●CGI-based web server ● SSH server ● DHCP ● Email system
- 8. Vulnerable Function ofLanguage Perl exec(“date > /dev/null”); open(FD, “| date > /dev/null”); system(“date > /dev/null”); print `date > /dev/null`; PHP exec(‘date); system(‘date’); mb_send_mail(); Python os.system(‘date’) subprocess.call(‘date’, shell =True) subprocess.Popen(‘date’, shell=True) Ruby `date` exec ‘date’ system ‘date’
- 9.
- 10. Conclusion ● Upgrade yourbash and stay calm