1. “Shellshock” bash code injection
vulnerability
CVE-2014-6271 & CVE-2014-7169
Johannes B. Ullrich, Ph.D.
jullrich@sans.edu
2. Outline
• How important is this vulnerability?
• What is the nature of the problem?
• Why are there two CVE Numbers?
• How do I check if I am vulnerable?
• What can I do to protect myself?
3. The Vulnerability
• The “bash” shell commonly used in
Unix systems allows code execution
via environment variables
• Attacker has to be able to trick the
user into opening bash after setting
specifically crafted variables
4. Attack Vectors
• CGI: Web servers using cgi-bin
mechanism to execute bash scripts.
HTTP headers sent by the attacker are
converted to environment variables
• SSH: Can be used to escape restricted
ssh shells
• DHCP: Code may be executed by DHCP
Clients
5. What can an attacker accomplish?
• The attacker will be able to execute
any shell command
• Only limited by user permissions
(e.g. apache web server)
• Exploit is easy to perform. Various
PoC exploits are available
6. How important is this?
• Patch quickly
• Worry if you have web servers that run
bash from cgi-bin!
• Not an issue for Windows systems
• Not an issue for clients. It is a server
problem
• This problem has been around “forever”
7. How could this happen?
• Bash, like all shells, have environment
variables
• However, in bash, these variables may
contain code
• Bash does not correctly separate code
from data
• As a result, the attacker can inject
additional code
8. Why are there two CVE Numbers
• The originally reported (and fixed) problem
only covered one way to inject code
(Stephane Schazelas CVE-2014-6271 )
• Earlier today, a second method was found
(Travis Ormandy CVE-2014-7169)
• There is currently no patch for the second
attack vector.
10. How do I check if I am vulnerable?
• Two test strings that can be run safely
while logged in on a system:
env x='() { :;}; echo vulnerable' sh -c
"echo this is a test”!
env -i X='() { (a)=>' bash -c 'echo date'; cat
echo!
• Various
Metasploit
Modules:
https://github.com/rapid7/metasploit-framework/
pull/3880!
!!
11. How do I protect myself?
• Apply the patch
current patch is incomplete
• Change shells from bash to
alternatives (ksh, sh…)
will likely break things
• Apply WAF/IPS rules
current public rules are lacking
12. Summary
• The biggest exposure are bash cgi-bin
scripts
• Start with the Google check to find low
hanging fruit
• Apply the patch quickly, watch for
updated patch
• Inventory!
13. Thanks!
Please send any information to
https://isc.sans.edu/contact.html
or email: handlers@sans.edu