What is Shellshock

Shellshock is a security vulnerability found is UNIX based systems including all Linux distributions, Mac OS and etc. If you are not familiar with Bash, bash is the default command line shell for UNIX based systems.

Using this newly found exploit hackers can take control of a system and execute bash commands on a server as they desire. The severity of the bug is ranked 10 out of 10 by Cybersecurity agency due to its simplicity and high risk.

There are after all patches that can prevent to decrease the chance of an attack that I will be mentioning them shortly.

Are you at risk?

Do you have a Linux OS? Do you have a server, VPS or anything running a Linux or any kind of Unix based OS? then YES.

Do you have Windows OS? No, at list not directly.

To test whether you are at risk or not simply run the following command in bash,

What does this do? The code above first defines a new function as shell variable in

Next, if you a re vulnerable it will also run the command after ; which in this case is “echo  you are vulnerable”. Therefore, if you see the “you are vulnerable” string in outputs it means that your versions of bash has the bug and you should try to fix it. Otherwise, you would get some kind of warning based on your OS. Something like the following:

In order for an attacker to be able to make use of the bug, he has to send request trough network to a service on a UNIX based server written in bash or using bash commands to respond to the request. There are a lot if services which fall into this category such as CGI files on web servers and SSH that can be targeted by attackers. Therefore, if you know there are no such services on your system you are not going to be a victim of this bug even your system has it.

But, if your a website admin or a UNIX based server admin you may want to consider apply existing patches to fix the bug. If you are a web server admin you can also use the following tool to check for the vulnerabilities on your server.

‘ShellShock’ Bash Vulnerability CVE-2014-6271 Test Tool.

Technical details on ShellShock

Seclists : Bash supports exporting not just shell variables, but also shell functions to other bash instances, via the process environment to (indirect) child processes.  Current bash versions use an environment variable named by the function name, and a function definition starting with “() {” in the variable value to propagate function definitions through the environment.

The vulnerability occurs because bash does not stop after processing the function definition; it continues to parse and execute shell commands following the function definition.  For example, an environment variable setting ofVAR=() { ignored; }; /bin/id

will execute /bin/id when the environment is imported into the bash process. (The process is in a slightly undefined state at this point. The PATH variable may not have been set up yet, and bash could crash after executing /bin/id, but the damage has already happened at this point.)

The following image from Symantec shows how the bug can be used to run a malicious code after a environment variable definition:

 

 

How can I fix it?

I found the following links useful:

 

Leave a reply:

Your email address will not be published.

Site Footer