Shellshock explained - Milan Kragujević

Shellshock explained


Beware This post is more than 3 years old, it may be outdated or incorrect! Please check elsewhere for accurate information!

Yesterday, at about 10 pm, I went on to Hacker News and there was a huge bug that basically was a Remote Code Execution exploit. That meant that anybody can remotely make your server execute code. I, being me, am not using GNU+Linux as my server, instead using Windows Server 2012 R2, but I am managing a few GNU+Linux servers for people I made web applications for. I immediately updated my bash, and the whole OS, and all was good (not really, read on). Now I'm explaining to you how it works.

I'll also be explaining how my Shellshock Detector works, which you can access here and scan your website for the Shellshock vulnerability.

A shell is a way to communicate with your computer. For example, if you wanted to move a file called "picture.jpg" from /home/user/Desktop to /home/user/Pictures you would of course drag and drop it to the new folder, but with the shell, you can type mv /home/user/Desktop/picture.jpg /home/user/Pictures/ and it'll be moved. Similarly, you can delete files with rm and do many other things.

Bash is the shell that's vulnerable. It's the default shell on most GNU+Linux systems, and it's usually installed if not the default shell. On Ubuntu and Debian, dash is the default shell, but on RHEL, CentOS and OpenSuse, the default shell is bash.

Most shells, including bash, have an environmental variable system. Basically, if you don't want to constantly type something in, you can say x="some really long string" and it'll remember that long string for you, so you don't have to constantly type it. Then, if you want to recall the string, you can just do echo $x and it'll recall the string. That's okay, and useful in many cases, but the thing is, you should NEVER, EVER, EVER run any of the code in a variable before confirming it's source!

Unix philosophy is that you don't write all code by yourself, instead you call other programs and then you use their output. For example, instead of integrating a video decoder in your program, you call ffmpeg to do the job then you use the result in your program.

Many web servers use environmental variables when calling CGI (Common Gateway Interface, basically dynamic scripts) so that the script knows who called it, where it is, and what should it do.

You can probably guess that there is the bug. Bash, if it encounters () { :; };, anything after that code is going to be interpreted as code that should be run, and will be run. Apache and lighttpd use environmental variables with CGI scripts and they usually put your User-Agent header (HTTP_USER_AGENT variable) in the environment, then they call the script through a shell, usually bash.

So, if you make a HTTP request with the User-Agent containing that code, and some command, the command will be run. You can run this code env x='() { :;}; echo vulnerable' bash -c "echo this is a test" locally, so that you can check if your PC/server is vulnerable. It affects most GNU+Linux distributions, some Android devices, many Internet of Things devices, a LOT of Internet Routers and Modems, and many Mac OS X versions. This bug has existed for 25 years, and there's a lot of things to fix.

Me and Vali constructed a header that basically tells the server to read everything from the /etc/passwd file that stores user login names. Here's the command: curl -i -X HEAD "http://[SOME IP]/" -A '() { :;}; echo "BashSmash: " $(</etc/passwd)'. You can read the contents here. I didn't manage to read /etc/shadow, which is expected, but still this is more dangerous than HeartBleed since it allows you to run any command on the server, not only read things from memory…

The way to fix this is to update your packages and then reboot, on Debian-based distributions: apt-get update && apt-get upgrade && reboot as root.

Now, to get to the Shellshock Scanner. Shellshock Scanner works by sending a User-Agent header with the value () { :;}; echo "X-Sec-Scan: ShellShock (http://ow.ly/BVllC) User IP:[USER'S IP] " and then checks if that header is present in the Response headers. It sends the User's IP so that I cannot be sued for trying to break into computer networks. This is an innocent command, but as I've shown above, you can do a lot of things with it.

My Shellshock Scanner also has a list of known vulnerable CGI script locations that it also scans, so it has greater coverage.

So that's how it works, you can try out the Shellshock Scanner here, and PLEASE, PLEASE! update your servers!

This post was last updated on September 24th, 2014.


0
❤️
0
👍
0
😲
0
😢
0
😠
0

Loading...

Scroll to top