Wiki

User Tools

Site Tools

Trace: auditing shellcheck fail2ban firewire iptables file_path tripwire firewall packages shellshock
bash:shellshock

This is an old revision of the document!

Bash - Shellshock

The Shellshock bug allows someone to remotely execute arbitrary code on systems that uses Bash.

An attacker needs to inject their payload of code into the environment variables of a running process – and this is surprisingly easy to do, via Apache CGI scripts, DHCP options, OpenSSH and so on. When that process or its children invoke Bash, the code is picked up and executed.

The Bash flaw – designated CVE-2014-6271 [http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271] – is being exploited in the wild against web servers, which are the most obvious targets but not by any means the only machines at risk.

Main Reason:

The issue starts with mod_cgi and how web servers interact with CGI programs (that could be written in Perl, PHP, Shell scripting or any other language). The web server passes (environment) user variables to them so they can do their work. In simple terms, this vulnerability allows an attacker to pass a command as a variable that gets executed by bash.

It means that if you are using mod_cgi on your web server and you have a CGI written in shell script, if you have CGI’s written on any other language, but you are using “system()”, “(backticks)” or executing any commands from the CGI, you are in deep trouble. Drop everything now and patch your servers.

In a few more days we will see real scans and actual attacks attempting to exploit this Shell Shock vulnerability.

Whether these computers are actually vulnerable depends on whether they invoke Bash in an unsafe way. We already know that this is true of many web servers, and it’s believed that other types of network services could also be vulnerable. But it’ll take a while for security experts to audit various pieces of software to check for vulnerabilities.

Finding the Bug in your server:

Finding if you’re vulnerable is easier than previous vulnerabilities. Log into your server and via terminal run this command: 

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If you are vulnerable it will return: 

vulnerable
hello

If not vulnerable it will return: 

hello
bash/shellshock.1467567398.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki