Huge bash exploit CVE-2014-6271
 

https://web.nvd.nist.gov/view/vuln/d...=CVE-2014-6271

This is very easy to exploit and there will be a ton of hacked webservers among other things hacked in the next few weeks due to it. If you run a seedbox with certain settings there is a good chance you are vulnerable to this, it's not just an ssh issue. Also hardware with embedded linux may have issues. Also affects DHCP/network manager in some linux installs.

Various exploits are already out there and are so easy a 5 year old could do it.

It's bad.

Re: Huge bash exploit CVE-2014-6271
 

But they would still have to have some way to spawn a Bash shell in the first place (i.e. have shell access) right? Seeing as SSH won't execute any commands or even provide an environment prior to authentication... Yet the CVE says authentication not required.

[Edit]
Yep: " Regular use of OpenSSH is not affected because users already have shell access.". It's only if you limit shell access purely via executing a command in a shell, which isn't really a good way of doing it to begin with (Amazon uses it to prevent root access though).

Most embedded systems (well, all embedded systems I use) run a Busybox shell rather than Bash so it shouldn't be much of an issue there, mostly concerned about Apache + mod_cgi exploits. Especially if someone has a leaky php shell open.

Re: Huge bash exploit CVE-2014-6271
 

Don't need to already have shell access. You can do it through a a http request and spawn a remote shell.

Can also be abused via a rogue DHCP server to exploit some linux distros and also apple macs. It's not just mod_cgi.

Re: Huge bash exploit CVE-2014-6271
 

Does any of this have implications for us ordinary folks using PCs for a bit of surfing etc.? If so how and what, if anything, can we do about it? Presumably some of the sites we access might be vulnerable but how might that affect us? The brief BBC article on this mentioned home users looking out for device updates on things such as routers but how would we do this in practice and what devices are vulnerable?

TIA

Re: Huge bash exploit CVE-2014-6271
 

Guess that's another good example of why you should always run your web server processes in a deprivileged account...

Nonetheless the original source linked from your NIST article:

https://securityblog.redhat.com/2014...ection-attack/

says the vulnerability can be exploited via:

• Apache server using mod_cgi or mod_cgid are affected if CGI scripts are either written in bash, or spawn subshells. Such subshells are implicitly used by system/popen in C, by os.system/os.popen in Python, system/exec in PHP (when run in CGI mode), and open/system in Perl if a shell is used (which depends on the command string)

But:

• PHP scripts executed with mod_php are not affected even if they spawn subshells.

So I fail to see how else it could be exploited via HTTP, if your process can't execute or spawn shells to begin with...


Ah well, I guess I'll have to keep reading up on this... Makes my job fun.




---------- Post added at 13:57 ---------- Previous post was at 13:56 ----------

If you're running Windows, it will not affect you at all.

If you're running Mac or Linux but don't run any servers, you should be fine as long as attackers don't have direct physical access to your home network. On a public hotspot you might have to worry...

Re: Huge bash exploit CVE-2014-6271
 

Makes a change. ;)

TVM :tu:

Re: Huge bash exploit CVE-2014-6271
 

mod_php and mod_cgi are different :)

As you suggest, in many cases a privilege escalation exploit (ie kernel) will need to be used in conjunction to make proper use of it.

F5 Big IP firewalls have an issue with this but it appears you need access to the web interface to take advantage of it. https://twitter.com/securifybv/statu...172673/photo/1

---------- Post added at 15:07 ---------- Previous post was at 14:46 ----------

Already some infections due to this have been found. This exploit is used to download an ELF binary with a secondary exploit to get root privileges and then install DDoS software.

Re: Huge bash exploit CVE-2014-6271
 

Well it's certainly got people in a panic at work... Spent all day patching servers now I've got people writing in concerned that their desktops are 'vulnerable'

Re: Huge bash exploit CVE-2014-6271
 

You could be doing the same again tomorrow....it's looking like the patch doesn't actually fix it.

Re: Huge bash exploit CVE-2014-6271
 

Yeah I'm aware of that. Shouldn't really matter tomorrow. Everything's now either on auto-update or had Bash removed. Most systems already patched themselves at 6am this morning so whenever a 'proper' fix comes out I'd expect that to make it on there too.

Re: Huge bash exploit CVE-2014-6271
 

Yep. Ubuntu and Redhat both released fixes for the second bug around 6am this morning.

Re: Huge bash exploit CVE-2014-6271
 

Automatic updates in production environments :Sprint:

ISC has changed it's ThreatLevel/InfoCon to Yellow.

First link is a nice metasploit module which acts as a DHCP, infecting machines that ask for an IP. All you have to do is attach the machine with it running on to a networkk...

Some of the ITV link:

Re: Huge bash exploit CVE-2014-6271
 

Better than expecting end users to do their own updates.
Wouldn't work on a decent corporate network that had DHCP snooping active. Quite easily exploitable on public hotspots though. However people have said elsewhere OS X's DHCP implementation is not vulnerable, nor is Windows for obvious reasons leaving just the small minority of Linux desktops (most servers I know would be on static addressing anyway).

---------- Post added at 01:34 ---------- Previous post was at 01:28 ----------

* Although I know and have worked with a good number of corporate networks vulnerable to all sorts of DHCP based attack, if you can set up a rogue DHCP server you can already intercept and modify all (non SSL) traffic on that network anyway, which gives you a far wider range of machines and vulnerabilities to attack if you just wanted a botnet.

Re: Huge bash exploit CVE-2014-6271
 

Ubuntu sent a third patch out:

Re: Huge bash exploit CVE-2014-6271
 

Huh. Wonder when that came out, didn't get picked up by the auto-update this morning.

Re: Huge bash exploit CVE-2014-6271
 

My rss server picked the blog update at 10:39am

Re: Huge bash exploit CVE-2014-6271
 

Not sure how that helps, unless your Ubuntu server runs system updates off an RSS blog...

Re: Huge bash exploit CVE-2014-6271
 

it helped to answer 'your' question of when the update came out, sometime around 10am.

Re: Huge bash exploit CVE-2014-6271
 

Still not over...

Further flaws render Shellshock patch ineffective

There are a few more CVE's other than those listed too.

List of PoCs for various services

Makes you wonder if GCHQ and the NSA are weeping that these have been found :p

Re: Huge bash exploit CVE-2014-6271
 

I didn't ask when the update came out, but that's good to know. I was just puzzled as to why the auto-update didn't ... auto update.

---------- Post added at 14:13 ---------- Previous post was at 14:11 ----------

So even the second patch is ineffective? Funnily reminds me of the whole Heartbleed debacle again.

Literally thousands upon thousands of companies including high-end tech vendors relying on 'free' software to power their product yet nobody pays any attention to the code or contributes to development until a major flaw is found. Then all of a sudden everyone starts caring and paying attention and dozens upon dozens of ancient flaws come to light...

---------- Post added at 15:43 ---------- Previous post was at 14:13 ----------

Here's something else I'm concerned about - it looks like Ubuntu aren't going to release fixed versions for even their second most recent edition (13.10) or the one before that (13.04) which I expect will leave a lot of vulnerable systems unpatched. Sure, servers should be running LTS but I know a good few that aren't. Redhat on the other hand have just about patched everything released in the last decade.

Re: Huge bash exploit CVE-2014-6271
 

But you pay for Redhat while Ubuntu is free.

OpenSuse and Mint have patches for both, whether this secures things remains to be seen. It does highlight a big issue in testing.
Most testing works through scenarios to show the program works as expected. It doesn't (and realistically can't) test for it behaving "badly". One way to do that is to give it to a group of children/teens and just let them loose, maybe add a bit of hacking/cracking resource to show what can be done. This won't necessarily cover all the bases but it will cover some of them. Too many times I've seen code released fail because a user does something unexpected that's not catered for, some take great pleasure in trying this.

Re: Huge bash exploit CVE-2014-6271
 

Well, I don't pay for RedHat, plus the upstream fixes from RedHat make it into CentOS (which is completely free) as well.

That said I personally (when I used to write software anyway) made a habit of always testing each step or function of everything I wrote with broken or invalid data just to make sure it was fully robust, and also making sure every possible exception thrown gave some sort of human-readable error message. I'm guessing that's also what the security researchers discovering these holes are doing.

Re: Huge bash exploit CVE-2014-6271
 

The first two patches do stop those holes being used but the new vulnerability found isn't much different yet does get through. They should really take the plunge and just release a patch which stops Bash parsing the data itself, even if breaks some setups. Not that hard for them to do it for the other versions too.

Bash is ancient so when made no one was thinking about security. Not even sure if the usual automatic fuzzing methods would have found these particular holes, not that they were about back then anyway.

Re: Huge bash exploit CVE-2014-6271
 

Some sites that will test urls for various methods of exploiting this:

http://www.shellshocktest.com/
http://shellshock.brandonpotter.com/
http://bashsmash.ccsir.org/

Can't 100% vouch for the trustworthiness of these sites and what they do with the test results, so use of your own back. Don't think there will be any issues using them though.

If you are using debian or Ubuntu and are worried doing all the upgrades may break things, you can use this to just update bash:

Re: Huge bash exploit CVE-2014-6271
 

Similarly for Redhat/centos:
yum update bash

Pretty easy, and tbh, anyone managing any sort of environment where auto-updates aren't feasible should know this stuff off by heart anyway.

Re: Huge bash exploit CVE-2014-6271
 

Re: Huge bash exploit CVE-2014-6271
 

VMware Bash bulletin, showing which of their products need patching and if they have released the patch

Re: Huge bash exploit CVE-2014-6271
 

Glad most of my employer's products have no CGI in the web interface and no access to BASH without having a level of access to the CLI which gives root on BASH via a standard CLI command anyway.

Still have flappy customers contacting daily asking for patches, naturally, but pointed out that the steady flow of CVEs mean they either wait a couple of days and get one roll-up patch or they have the pleasure of a .3, .4, .5, .6... etc version and disrupt their production networks repeatedly.

Re: Huge bash exploit CVE-2014-6271
 

Thankfully no reasonably recent version of their hypervisors are affected, that said most of our infrastructure runs on Xen instead of VMWare and yesterday's XSA-108/CVE-2014-7188 is causing panic among Xen sysadmins the world over...

Apple finally released their shellshock fix yesterday too, after several days delay, Citrix seems to think it's a non-issue

Re: Huge bash exploit CVE-2014-6271
 

Well here's how to do a vulnerable server via XSS. *Sigh*

https://www.cableforum.co.uk/images/...10/1.png:large

Re: Huge bash exploit CVE-2014-6271
 

Some fun to be had with API's too. Such a broad spectrum of goodies that will keep giving :D Some nice scripts out that will exploit this over ssl to avoid network filtering rules.

Give it another week or so and we will start to see some huge DDoS tests taking place.

Re: Huge bash exploit CVE-2014-6271
 

Lol!

---------- Post added at 14:36 ---------- Previous post was at 14:33 ----------

Yeah, I know a few organizations that have deployed signatures on their border firewalls to block these HTTP requests but that doesn't help against SSL or FTP(S). I hope they're not relying solely on their firewalls...


[quote]Give it another week or so and we will start to see some huge DDoS tests taking place.[/QUOTE
IMO webservers aren't as good a source for (D)DoS attacks these days thanks to a lot of provider companies doing outbound filtering and DDoS protection, i.e. detecting if a machine is being used for an attack and blocking it automatically. Course, not all providers do this and the ones that don't are still bandwidth-rich havens.

Re: Huge bash exploit CVE-2014-6271
 

Bwapp was vulnerable to shellshock before they added shellshock support, which is the funny think about it :p:

Re: Huge bash exploit CVE-2014-6271
 

Well, bwapp's blurb is: It's mere existence is funny

(Or did you mean it wasn't vulnerable?)