Shellshock, i.e. the Bash Bug Vulnerability Information

What is the Shellshock vulnerability?

On Wednesday, security researchers disclosed a vulnerability in the Bash shell (CVE-2014-6271) that allows an attacker to execute code remotely by simply setting an environment variable on the target machine. Unfortunately, using environment variables to pass user-controlled data to the Bash shell is not uncommon for web applications. For example, CGI servers use environment variables to provide underlying scripts with HTTP header information, including attacker-controlled fields like ‘Cookie’, ‘Host’, and ‘Referer’. Weaponized versions of this vulnerability are already appearing in the wild. The folks over at TrustedSec have also released a proof-of-concept that uses a malicious DHCP server to execute code when a client renews its IP address.

Who is affected?

Any system with a modern version of Bash is likely affected. Most flavors of Linux as well as OSX have vulnerable versions of Bash installed by default, though many Linux vendors have released a patch to fix the vulnerability. More concerning is the array of embedded devices that run Bash and have no easy update mechanism.

Out of the box, it appears that the vulnerability is more easily exploited on Red Hat machines than Debian based systems, due to ‘/bin/bash’ being the default system shell on those machines (as opposed to ‘/bin/dash’ on Debian). However, any web application that explicitly invokes a shell script with Bash (e.g. one starting with “#!/bin/bash”) is affected by the vulnerability.

Is my machine vulnerable?

To test if you have an affected version of Bash, run the following command:

 

env X='() { (a)=>\' bash -c "echo echo vuln"; [[ "$(cat echo)" == "vuln" ]] && echo "still vulnerable :("

On a vulnerable machine, the output will look like:

bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
still vulnerable : (

If Bash has been patched correctly, you will see instead:

bash: X: line 1: syntax error near unexpected token `='
bash: X: line 1: `'
bash: error importing function definition for `X'
echo vuln
cat: echo: No such file or directory


Are Pwnie Express devices affected?

Yes. Based on the proof-of-concepts released so far, our devices don’t provide an immediately apparent vector for exploiting the vulnerability remotely. However, all unpatched Pwnie devices have a vulnerable version of Bash and should be updated immediately. An updated version of Bash is available in the Kali Linux repositories. Performing a system update through the Pwnie UI (or running ‘apt-get update && apt-get install bash’ from the command line) should fix the vulnerability. We urge our customers to do so as soon as possible.

Standard Reverse SSH

Next in our how-to Pwnie is a tutorial in how to set up a standard reverse SSH connection. In order to get past firewalls and communicate directly with a Pwn Pro sensor located in a remote location, a reverse SSH connection must be set up. This demonstration will be using a Pwn Pro, though any Pwn Appliance or Pwn Plug will work. The video guides you through specifying the Kali Linux connection and setting up various types of reverse shells (standard, reverse over DHS, etc). All you need to do is supply a DNS resolvable name and a port number. The guide then continues to describe the different types of SSH and which may be most useful for your use case. The tutorial also explains how you can add a second SSH receiver. And be sure to watch the video! A contest featuring this video will be going up on our weekly promotions page soon.

Employees, Education, and Social Engineering

In conversations with CISO’s and others in charge of security, the Pwnies keep hearing the same thing: employees are usually the weakest link.

When people think of hackers, the stereotype is still of some guy in a basement, silently, remotely, and independently accessing the world around them. Of course this is sometimes true, but this ignores the simple fact that sometimes the easiest way to get into a system is to walk (often quite literally) right through the front door (both literally and figuratively).

Lately this threat has become even more visible, many of the recent large breaches used social engineering as the initial attack vector. The now infamous Target and RSA breaches started with targeted phishing emails. A yearly demonstration of social engineering’s effectiveness against even established companies happens every year at DEF CON’s Social Engineering Capture the Flag contest, a competition sponsored by SocialEngineer.org to see how many “flags,” or useful pieces of information, employees at these companies will disclose. 2014’s theme was “retail”, and most of the organizations tested failed with flying colors.

The most effective security audits take this into account, and use social engineering to test the security of the organization – calling for passwords, looking for devices left lying around, and plugging in things that shouldn’t have even been let through the door. Both adversaries and auditors use social engineering to do this, and employees usually don’t know what’s hit them – without knowing how people might take advantage of them, they’ve been left unequipped for the breach.

These problems may be obvious to security professionals, but it can be considerably more difficult to drive the problem home with  everyone else – those who feel that security is taken care of through compliance, or that all cyber attacks are divorced from the physical world. Recalling last week’s post “Scare the CEO,” a crucial part of any effective security plan is education. The most effective form of education is hands on. So, show your employees and colleagues what social engineering is…  as they say, it “takes one to know one”.

As an example of what can go wrong, Pwnie Express has a video called “Don’t Get Pwned,”  showing what it would look like for a pentester to breach an office by exploiting common vulnerabilities.

Check out Social Engineer.org for more.

Derby Con and $100 Off

Did you watch the Pwnies on Security Weekly last week? No? Well then you missed out… and on more than a great show! Pwnie Express was offering $100 off an R3 to those who watched (which expires September 30). You can still catch the show (and the discount code) here or on the Security Weekly site.

Win a red Pwn Phone

Also, Derby Con 4.0 is coming up! September 24-28 in Louisville, Kentucky, and Pwnie Express will be on hand September 25-26 (and we might have stickers), so stop by the booth and say hello! We’ll be having a drawing for a free red Pwn Phone, one of only a few specially-made ones. In order to enter the drawing, stop by the booth and drop a business card. In addition, two of the Pwnies will be leading a workshop called “Make Your Own Pwn Phone” on Friday, Sept. 26 from 2:00pm – 4:00pm where you can, well, make your own Pwn Phone. We will not, however, be providing phones — so remember to bring your own Nexus 5 or Nexus tablet if you want to participate. In addition, we will be selling the “Pwn Pad DIY kit” and the “Pwn Pro DIY kit;” full kits with all adapters, case, velcro, etc. at the booth.

Proxy Pivot Point

Continuing in our “how-to” series, this video guides you through setting up a Proxy Pivot Point on a Pwn Pro (or any of our sensors). The remote sensor, in this case the Pro, is used as a pivot point/beachhead to allow for subsequent communication. This allows you to leverage the sensor as a pivot point so that you can open up a browser on your SSH receiver and visit web servers in that remote office (as if you were physically sitting in that remote office space).

 

Scare the CEO

Pwnie Express does not in any way condone fear mongering. That being said, the resignation of Target CEO Gregg Steinhafel (following a data breach that affected 40 million customers and will cost the company at least $148 million) is inherently scary, and not just in the InfoSec world. Those numbers should wake up even the most anti-IT, “we don’t need to spend money on that” executives. And with numbers like that, the business world is opening its eyes to the dangers, with publications like Bloomberg Businessweek and Forbes publishing the “CEO Guide to Cybersecurity” and “Five Smart Cybersecurity Moves from Top Security CEO’s”.

But there’s still a lack of communication between the business world and InfoSec experts, which is more detrimental to both parties than many realize. Security is not an isolated problem, both in that the results of a failure affect the entire organization and that for an effective security posture, the entire organization must be involved. The question, then, is how to involve the organization and teach them about a problem that is inherently esoteric – 0’s and 1’s causing real-world trouble.

We recently spoke with a security consultant who talked about the challenges of educating an organization, and his suggestion was both practical and effective. He pointed out that the best way to teach awareness is by getting people’s hands dirty. Sometimes, quite literally – lockpicking is a popular InfoSec hobby, and it’s a great training tool as well. Not until they actually do something – lockpicking, hackathon (what can you find with a basic nmap scan?), or a staged attack – will most people understand what they are up against. With services like PhishMe, employees are shown that they are more vulnerable than they realize – and that phishing emails don’t always come from Nigerian princes.

Computer Weekly published an article on the usefulness of attack simulation in executive buy-in for security. Like a human penetration test, the staged attack can wake up even the most staid executives. With threats becoming real, IT security is suddenly a necessity, not an optional expenditure. Additionally, it helps to identify weaknesses in an incident response plan, as business execs unfamiliar with security problems are forced to understand what is actually wrong and who it affects – do they notify clients? the press? freeze accounts? Not unlike Chaos Monkey, these tests want to break (or simulate breaking) your system when the consequences are not dire. Computer Weekly’s source Marco Gercke said that “in a real cyber attack, I once saw a board take nine days to issue a press statement because they did not understand the complexity of their company’s IT systems.” By making security real to everyone in the organization, the organization’s security posture becomes more robust.

Think of it like Halloween – only every trick you dole out is actually a treat.

For another story on frightening CEO’s with cybersecurity, see NPR’s “Cyber Briefings Scare the Bejeezus out of CEO’s

Derby Con 4.0 – Guide to Louisville

Derby Con 4.0 will be September 24-28 in Louisville Kentucky, and Pwnie Express will be on hand September 25-26 (and we might have stickers), so stop by the booth and say hello! We’ll be having a drawing for a free red Pwn Phone, one of only a few specially-made ones. In order to enter the drawing, stop by the booth and drop a business card.

Win a red Pwn Phone

In addition, two of the Pwnies will be leading a workshop called “Make Your Own Pwn Phone”  on Friday, Sept. 26 from 2:00pm – 4:00pm where you can, well, make your own Pwn Phone.  We will not, however, be providing phones — so remember to bring your own Nexus 5 or Nexus tablet if you want to participate. In addition, we will be selling the “Pwn Pad DIY kit” and the “Pwn Pro DIY kit;” full kits with all the adapters, case, velcro, etc. at the booth.

Though Derby Con is the reason to go, Louisville is also a great place to explore: in addition to the amazing food and the Kentucky Derby, Louisville is the home of Bourbon and some pretty great bars. Aside from the “standard” touristy sites, check out Louisville’s Mini Maker Faire on Saturday, September 27th and the local hackerspace LVL 1.

Start your tour of Louisville with the standard touristy sites on Main Street and Museum Row: for all you boxing fans, there’s the Muhammed Ali Center, a museum dedicated to the life and vision of Muhammed Ali. Those who prefer baseball can check out the Louisville Slugger Museum, a museum dedicated to the “Louisville Slugger” baseball bat and baseball history in general. Though Slugger field might not have games this time of year, the field’s gastropub Against the Grain is always open, with a great selection of craft brew and (word has it) some of the best beer cheese around. The 21C, a hotel voted #1 Hotel in the South, is also on the row and has an incredible contemporary art museum.

If music and food are more your style, Fourth Street Live is a great destination for restaurants, bars, lounges, and a food court with some of the best BBQ in the nation. For those willing to go a bit off the beaten path, Bardstown Road is a quirky, offbeat foil to the more touristy Fourth Street Live. Bardstown Road includes the Phoenix Hill Tavern, the oldest nightclub in the city, and comedy club Comedy Caravan (featuring the Laughing Derby).

Of course, Churchill Downs, home of the Kentucky Derby, will be hosting races during the weekend of Derby Con. Check out their calendar of events to find races and other happenings. More of historical Louisville can be found at the Seelbach Hilton, a hotel featured in Fitzgerald’s Great Gatsby and one of the places where he wrote the book. Old Louisville has the country’s largest collection of Victorian architecture, and the Bourbon Trail is a historical icon of a slightly different sort.

Hope to see you soon!

Stealing Credentials with Fake Login Pages

In previous entries, we’ve seen how client devices can be tricked into connecting to a rogue access point, giving the person running the AP full control over the client’s Internet access. The concept is fairly simple: present the client device with a WiFi network that looks like what it is expecting and the device will connect without a fuss.

As it turns out, humans can be tricked just as easily. As a general rule, people are trusting; as long as things look more or less as they expect them to, most users will continue on with their normal routine, blissfully unaware that they might be the victim of a sophisticated attack.

In this post, we’ll build on the EvilAP attack by presenting victims a cloned version of the Facebook login page in an effort to capture their login credentials. Facebook is used only as an example here, the same method can be used with any website that features a login dialog.

Note: The following assumes you’ve already configured an EvilAP and are ready for clients to connect. If you’d like to read up on how to launch an EvilAP,take a look at “EvilAP: A Practical Example”.

Social Engineering Toolkit

The Social Engineering Toolkit (SET) is a collection of tools designed to automate a wide array of exploits: everything from generating malicious QR codes to programming a microcontroller to act as an attack vector. In this particular example, we’ll be using the “Site Cloner” function, which will duplicate any website the operator chooses and capture information the victim sends to it.

To launch SET, tap its icon under the “Attack Tools” directory.

etter

SET has its own menu system which you can navigate through by entering the numbers corresponding to the selection you wish to make.

SEtmen

First, select “Social-Engineering Attacks” by entering in the number 1, then number 2 for “Website Attack Vectors”.

select

Then enter 3 for “Credential Harvester Attack Method”, and finally, enter 2 for “Site Cloner”. You’ll then be asked for the IP address of the EvilAP, which is 192.168.7.1, followed by the URL of the site you want to clone.

clone

All that’s left to do now is wait for the results to scroll across the screen. As victims connect to the EvilAP and try to login to Facebook (or whatever site you selected to clone), their login credentials will show up in red.

gotahit

 

 

Crunching the Numbers: A Snapshot of Security

Here at Pwnie, we want to know just how we’re helping the industry. So we conducted a survey of you and your peers — hundreds of IT security professionals last month.

The survey found that 40.6 percent of you have no visibility into your wireless assets at remote sites. That’s right – zero. As wireless becomes omnipresent and businesses are increasingly distributed, often with hard-to-reach branch offices and remote sites, this could potentially spell disaster. TJX, anyone?

Additionally, the survey found that this may be because 43.9 percent of you are not even required to assess the wireless assets at your remote sites. And on top of it, even when assessments are taking place 53.6 percent of the time they are only happening quarterly or less. The survey also revealed that despite increasing compliance mandates, including the Payment Card Industry Data Security Standard (PCI DSS), 51.8 percent of you said they did not conduct penetration tests at remote locations.

Many of you have expressed to us how they would like to do more penetration testing and have full visibility into both the wired and wireless assets at all of your locations. The intentions are there, and so were many of the open-source tools, but by packaging these tools we at Pwnie Express are trying make it easier for the security community to effectively use them across the organization.

Here is the official press release.